If the past few years have taught us anything, it’s that uncertainty is inevitable. Uncertainty and risk are things we cannot avoid, and if we can learn to manage these two aspects, they can instead propel us to grow and become more adaptable to shifting environments. Following these last few years of uncertainty is the rise of new and expanding compliance requirements.
The federal government and regulatory bodies are gearing up to layer on regulations to bring public and private entities in line with cybersecurity requirements. The Department of Energy, TSA, and SEC are just a few organizations redefining and expanding industry compliance requirements.
Navigating regulatory change does not have to be a roadblock to your business. In our opening keynote for STRONGER 2022, Daniel Dobyrgowski, Head of Governance and Trust at the World Economic Forum, sat with Kevin Powers, Director of MS in Cybersecurity Policy and Governance Program at Boston College, Angela Dingle, President and CEO of Ex-Nihilo Management, and John Wheeler, CEO of Wheelhouse Advisors, to discuss how organizations can standardize, centralize, and automate their risk and compliance programs for the future.
Cybersecurity is a People Problem
For any company to adeptly grow along these regulatory changes, cybersecurity needs to be understood as a people problem rather than a technical one. Cybersecurity involves the people running the day-to-day business, the decision-makers of the company, and the tools and technologies used to run the business. Professionals should reduce the gap between senior business leaders and cyber experts because these functions are inherently related.
“There’s a need for greater understanding of how technology assets link into operational business processes supporting major strategic objectives and determining the most critical business processes out there,” said Wheeler. Cybersecurity is much more than securing the technology used. Understanding how technology assets interact with people and other technology assets - within and outside of the organization is essential. Consider the recent supply chain disruptions - these are an example of just how far technology extends beyond the organization.
Bolstering cyber resilience along with strengthening the understanding of just how far cybersecurity impacts organizations is crucial to improving risk and compliance programs. Most organizational leaders will agree that a cyber attack can occur sooner or later, but how well the company responds to the attack is critical. Not only will it impact the success of your own business, but it is also essential to factor in how your organization may directly impact others and vice versa.
Cooperation at a Higher Level
“If we’re going to improve cybersecurity, we’re going to have to build cyber resilience,” said Dobrygowski. With this notion, the governing bodies have decided to roll out new standards and guidelines, leading to increased fragmentation as regulations proliferated. How do companies exactly make sense of this flux? It all ties back to the idea that cybersecurity is not a tech issue; it’s a risk management issue that needs to be run from the top down.
Security professionals must fully integrate executive leaders and board members into cybersecurity and vice versa; cybersecurity has to be rolled into a company's business objectives.
Organizations like the FTC and NYDFS aim for their regulations to pivot from “you should be doing this” to “you shall be doing this.” Before, these regulating bodies trusted companies to implement the frameworks suggested but received tons of pushback at the suggestion. With the threat landscape advancing in the manner it has, industries can no longer support this lax approach.
“There has to be an understanding at all levels that this could really cost you and put you out of business if you chose not to follow along,” said Dingle.
These regulations will pressure senior leadership and cybersecurity professionals to scale the programs they’ve been developing and rise to the expected level.
Pillars of an Effective Cybersecurity Program
“I think it’s all about greater collaboration between technology staff,” said Wheeler. “And I intentionally say technology, not IT, because what I’m seeing is a proliferation of need beyond the information center and into the operational technology arena.”
The creation of a more robust and effective cybersecurity program will involve more than the skill sets of a traditional IT group. Security professionals must work with leaders from all units to communicate and collaborate on how these new technologies are deployed in the business and their impact.
A core function of a successful cyber risk management program is open and accessible communication about risk and cultivating an ongoing dialogue. Traditional work cultures may inhibit this openness, but organizations must get beyond this roadblock. Open communication is one of these new regulations' goals, enabling companies to respond to events adeptly.
To support open communication, CISOs must function like ambassadors, reach out to the business units, and promote security, but Powers raises a key obstacle to ‘selling’ cybersecurity.
“It’s a tough sell because when given the opportunity between a secure network and an efficient one that’s going to make you money, it’s always going to be efficiency, money, and more profit,” said Powers. “A business is a business.”
To combat this problem, companies must structure their risk management with a top-down approach. This approach ensures that security informs decisions across all business units and underscores the idea that cybersecurity is a core function of the business.
“You’re gonna have a seat at the table because you’re talking business when you’re talking cybersecurity,” explained Powers.
Talking Cyber at the Executive Level
Here are some best practices and guidelines to follow when cultivating open and ongoing communication about cybersecurity at the executive level.
Cybersecurity needs to be presented like how other senior executives offer their vision to the board and stakeholders. CISOs and security professionals need to set the tone at the top of the C-suite about the importance of cybersecurity, what cybersecurity means within their business and industry, and share their vision of where they want to see the company go.
There’s no cookie-cutter recipe for cultivating a cyber-aware work culture. Still, one thing we know is that the CEO or any senior leader must understand how technology can affect the ability to conduct business. Security professionals must set the tone at the top for the rest of the company to follow.
Often, teams need to perform internal research on their own company and get creative. They can employ educational training platforms, send out company newsletters updating employees on the progress of their program, include it in contracts, and more. You have to make it valuable to the employees.
“Once you create that internal culture of awareness, that understood value of cybersecurity, I think that is when you start to see change,” said Dingle.
Companies can start to win business as a result of improved cybersecurity. An outcome like this promotes the idea that if everyone works together to improve cyber, the company will win, and the employees running the company will also win. Creating opportunities for the company also creates opportunities for the individual employee.
Regulatory Change is Manageable
Governing bodies will not stop rolling out new regulations. It’s time for companies to step up and scale their risk and compliance programs or face the consequences of heavy fines or a cyber attack that could put the company out of business. Cybersecurity is a core function of business, and if companies want to keep operations running smoothly, they must integrate cyber across all business units.
Learn more about how you can adeptly navigate regulation change and build a comprehensive risk and compliance program in our keynote from the STRONGER 2022 conference here.