urlscan.io logo urlscan.io
SecurityTrails logo

tcblog.protiviti.com Open in urlscan Pro
23.185.0.3  Public Scan

Back to summary
URL: https://tcblog.protiviti.com/2023/05/02/creating-a-resilient-cybersecurity-strategy-part-2-the-role-of-senior-leaders-in-gove...
Submission: On March 12 via manual from SG — Scanned from SG

Form analysis 4 forms found in the DOM

GET https://tcblog.protiviti.com/

<form class="gridlove-search-form" action="https://tcblog.protiviti.com/" method="get"><input name="s" type="text" value="" placeholder="Type here to search..."><button type="submit" class="gridlove-button-search">Search</button></form>

GET https://tcblog.protiviti.com/

<form class="gridlove-search-form" action="https://tcblog.protiviti.com/" method="get"><input name="s" type="text" value="" placeholder="Type here to search..."><button type="submit" class="gridlove-button-search">Search</button></form>

GET https://tcblog.protiviti.com/

<form class="gridlove-search-form" action="https://tcblog.protiviti.com/" method="get"><input name="s" type="text" value="" placeholder="Type here to search..."><button type="submit" class="gridlove-button-search">Search</button></form>

GET https://tcblog.protiviti.com/

<form class="gridlove-search-form" action="https://tcblog.protiviti.com/" method="get"><input name="s" type="text" value="" placeholder="Type here to search..."><button type="submit" class="gridlove-button-search">Search</button></form>

Text Content

 * About
 * Protiviti Home
 * Topics
   * Applications
   * Business Continuity and Resilience
   * Cloud
   * Cybersecurity
   * Data and Analytics
   * Emerging Technologies
   * Privacy
   * Security
   * Risk and Compliance
   * Tech Transformation
   * Vulnerability/Incidents
   * Microsoft
   * Oracle
   * SAP
   * Workday
 * Industries
   * Consumer Products & Services
   * Energy and Utilities
   * Finance
   * Financial Services
   * Government
   * Healthcare
   * Manufacturing and Distribution

 * * Search
 * * * Subscribe

 * About
 * Protiviti Home
 * Topics
   * Applications
   * Business Continuity and Resilience
   * Cloud
   * Cybersecurity
   * Data and Analytics
   * Emerging Technologies
   * Privacy
   * Security
   * Risk and Compliance
   * Tech Transformation
   * Vulnerability/Incidents
   * Microsoft
   * Oracle
   * SAP
   * Workday
 * Industries
   * Consumer Products & Services
   * Energy and Utilities
   * Finance
   * Financial Services
   * Government
   * Healthcare
   * Manufacturing and Distribution

 * * Search
 * * * Subscribe

 * * Search
 * * * Subscribe
 * 


Cybersecurity


CREATING A RESILIENT CYBERSECURITY STRATEGY, PART 2: THE ROLE OF SENIOR LEADERS
IN GOVERNANCE

Nick PuetzRay Zellmer
May 2, 2023
6 min read

This is part two of a three-part series about developing a cybersecurity
governance lifecycle that provides coverage, balance, effectiveness, efficiency
and assurance. Because clear boundaries between governance roles are so
important, this series explores the cybersecurity governance lifecycle in the
context of enterprise governance and strategy. This post explores the role of
the senior leadership team in cybersecurity governance and discusses how
cybersecurity leaders can support the success of the senior leadership team in
governing cybersecurity. Next, we look at the role of the board.

Cybersecurity governance should go beyond managing cyber risk — it should
clarify the outcomes expected from program activity and establish clear
boundaries of responsibility among cybersecurity practitioners, senior leaders
and board members. Senior leaders at many organizations have found themselves
pulled into tactical cybersecurity matters recently, when their organizations
actually experience cyber threats. These tactical distractions limit senior
leaders’ ability to perform the strategic responsibilities of their designated
roles. While this phenomenon is likely to continue, cybersecurity leaders can
help reverse this blurring of roles by equipping senior leadership teams (SLTs)
with questions and expectations that will help promote the SLT’s proper role in
cyber governance.

Some SLTs are still defining their strategic roles in cybersecurity governance.
When senior leaders don’t ask these top-level questions, cybersecurity leaders
can volunteer the information anyway, to enhance communication and support
clarification of the SLT role.

IS THE RIGHT CYBERSECURITY PROGRAM OPERATIONAL?

The dialogue starts with the most foundational question the SLT might ask: does
the organization have a proper cyber governance program? While many
cybersecurity teams are likely to respond that they do have viable cyber
governance programs, we have found that many governance programs are
under-invested or leverage outdated approaches that are not in line with the
needs of the organization. To affirm the operation of a robust cyber governance
program to the SLT, cybersecurity leaders could indicate they’re operating a
program that’s in line with the practices described in the first post of this
series.

DOES THE CYBERSECURITY PROGRAM ALIGN WITH AND SUPPORT THE ORGANIZATIONAL
STRATEGY?

The SLT will also want to confirm that the cybersecurity program demonstrates
alignment with organizational strategy and that there is awareness of how the
strategy will impact cyber risks for the organization. The program should
understand and respond to the risks that are relevant to the business in
question. This means clearly articulating how the cybersecurity program is
adapting to address risks related to the strategy, but also clarifying for the
SLT how achieving the strategy will impact the risk profile of the organization.
Specifically, SLTs should be assured that the organization has a full
understanding of its risks including business, geopolitical and regulatory
risks. A clear and ongoing dialogue should exist with cybersecurity leaders
about corporate culture and the organization’s risk tolerance. This dialogue
should also include assuring a strong understanding of the organization’s risk
profile and how the industry the organization is part of drives part of that
risk profile. (The inherent risk profile of an organization that provides
components of critical infrastructure, for example, will differ from those of a
garment manufacturer. Both will have external and internal threats, but their
prevalence and impacts could be different.)

Clear linkages between business-critical processes and supporting systems to
risks associated with the organization’s strategy is an additional indicator of
alignment to organizational strategy. An organization’s systems support,
automate and create resilience around its key business processes. Prioritizing
security for critical business processes and the systems that support them
demonstrates the cybersecurity program’s alignment with business strategy. With
a risk-based approach, the security of every system matter, but systems’
proximity to business-critical processes establishes their priority. (Systems
that participate in revenue generation, for instance, or that house customer and
client information, warrant a higher priority and potentially higher levels of
protection for a risk-based cybersecurity program.)

IS THE CYBERSECURITY PROGRAM EFFECTIVE?

After determining the right kind of cybersecurity program is operational and
aligned with the organization’s strategy, SLT members will want to ask for
information about these program elements to confirm the cybersecurity program is
effective (alternatively, cybersecurity leaders can volunteer this information):

 * Does the program make use of a reputable framework, like the National
   Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF)?
   Adherence to established and reputable frameworks, such as NIST CSF or one of
   the others outlined in this blog post, ensures cybersecurity leaders follow
   standard guidance to organize their programs and the controls that exist
   within them.
 * Is the program mature? Assessments of program maturity demonstrate a
   program’s strength and its alignment to a known framework. SLTs learn to look
   for alignment to organizational strategy and assurance that controls are
   effective.
 * Are key risk and performance indicators regularly produced and tracked? Some
   cybersecurity programs provide a summary of all available cybersecurity
   metrics to their SLTs. Metrics are more effective, however, when they tie
   tactical controls to the organization’s known risks. For example, one
   financial services organization had a known risk related to system
   availability. Security experts determined that patches to systems were not
   implemented timely and recognized that as the root cause of excessive system
   downtime. The tactical control metric tied to the known “system availability”
   risk, therefore, was mean time to patch. The SLT soon learned that timely
   patching led to improved system uptime. They gained an interest in tracking
   not only the system availability metric but also the mean time to patch
   metric as a way to ensure tactical controls kept system availability stable
   and improving.
 * Are controls effective and sufficient? Control efficacy demonstrates that
   controls are in place; control coverage ensures they encompass all known
   risks. Assuring efficacy and coverage involves multiple lines of defense,
   starting with evaluation of the security program’s operations. Assurance also
   includes confirming that controls are aligned to regulations that are
   meaningful to the organization (such as Sarbanes-Oxley and Payment Card
   Industry standards), as well as conducting appropriate audits to test
   coverage and efficacy of controls. Reporting the results of audits and
   control testing and tying any control testing failures to risks will help the
   SLT better understand the importance of the controls as well as assure them
   that controls are operating.

While SLTs will continue to experience distractions related to tactical
cybersecurity matters, cybersecurity leaders can help them perform well in their
cyber governance roles. Even when SLT members don’t ask, cybersecurity leaders
can guide development of clearly bounded roles by furnishing the cybersecurity
program information that will help SLTs govern cybersecurity effectively.

Read the results of our new Global IT Executive Survey: The Innovation vs.
Technical Debt Tug-of-War.

To learn more about our cybersecurity consulting solutions, contact us.

I like thisUnlike Like0
Cybersecurity NIST cybersecurity framework organizational strategy resilient
cybersecurity strategy risk-based approach senior leadership team

NICK PUETZ

Managing Director
Security and Privacy

View all posts

RAY ZELLMER

Director
Security and Privacy

View all posts
Muddy Footprints – Every Contact Leaves a Trace
How Will Upcoming Transportation Security Administration Regulations Impact the
Aviation Industry?

YOU MAY ALSO LIKE

Cybersecurity


FLASH REPORT: NIST RELEASES VERSION 2.0 OF ITS CYBERSECURITY FRAMEWORK

What to know: On February 26, 2024, The National Institute of Standards and...

Sameer Ansari
March 1, 2024
44 views
CybersecuritySecurity


STRENGTHENING SECURITY AGAINST AI-POWERED ATTACKS

Generative AI (GenAI) technologies, such as ChatGPT, have demonstrated
substantial...

Jon MedinaNishi Prasad
February 28, 2024
151 views
CybersecurityEmerging TechnologiesEnergy and Utilities


AI IS A DOUBLE-EDGED SWORD OF BUSINESS OPPORTUNITY AND CYBERSECURITY RISK FOR...

Tyler ChaseLuis Castillo
February 14, 2024
149 views


SUBSCRIBE TO TOPICS

Search

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping
organizations transform and succeed by focusing on business value.


Protiviti Technology @protivititech ·
11 Mar


A consumer products company realized improved forecasting, consistent data
management and governance practices, and more after partnering with Protiviti to
implement SAP Analytics Cloud. https://ow.ly/4FtG50QPbjJ #ProtivitiTech
#ClientStory

Reply on Twitter 1767174082309599445 Retweet on Twitter 1767174082309599445 Like
on Twitter 1767174082309599445 Twitter 1767174082309599445
Protiviti Technology @protivititech ·
8 Mar


Should you implement a custom security design before or after ERP
implementation? Review these considerations to help guide your decision.
https://ow.ly/EMeG50QPaci #ProtivitiTech #Microsoft

Reply on Twitter 1766213175882490021 Retweet on Twitter 1766213175882490021 Like
on Twitter 1766213175882490021 Twitter 1766213175882490021
Protiviti Technology @protivititech ·
29 Feb


Protiviti’s Patrick Gilgour discusses how IT leaders should establish proactive
and collaborative partnerships, while also touching on the importance of ongoing
monitoring of key partnership metrics. https://ow.ly/YyBE50QHZZe #ProtivitiTech
#CIO

Reply on Twitter 1763293388697112703 Retweet on Twitter 1763293388697112703 Like
on Twitter 1763293388697112703 Twitter 1763293388697112703
Protiviti Technology @protivititech ·
29 Feb


NIST released version 2.0 of its Cybersecurity Framework this week. Find out how
the updated framework expands its core guidance to help organizations of any
size and sector manage and reduce their cybersecurity risks.
https://ow.ly/CPUC50QJpoG #ProtivitiTech #Cybersecurity

Reply on Twitter 1763239920607306208 Retweet on Twitter 1763239920607306208 Like
on Twitter 1763239920607306208 Twitter 1763239920607306208
Protiviti Technology @protivititech ·
29 Feb


NIST released version 2.0 of its Cybersecurity Framework this week. Find out how
the updated framework expands its core guidance to help organizations of any
size and sector manage and reduce their cybersecurity risks.
https://ow.ly/CPUC50QJpoG #ProtivitiTech #Cybersecurity

Reply on Twitter 1763239920607306208 Retweet on Twitter 1763239920607306208 Like
on Twitter 1763239920607306208 Twitter 1763239920607306208
Load More

RECENT POSTS

 * There’s a Bright Future for SAP BusinessObjects 4.3 and Beyond
 * Rethinking Strategy: High vLicense Renewal Fees Have Healthcare Providers
   Questioning How, Where to Host Workloads
 * Building a Business Case for Copilot for Microsoft 365 – A Game-Changer for
   Business Efficiency
 * Consumer Products Client Story: Multinational Company Modernizes Financial
   Planning and Analysis with SAP Analytics Cloud
 * Flash Report: NIST Releases Version 2.0 of Its Cybersecurity Framework

CATEGORIES

 * 2021 Tech Priorities
 * Applications
 * Business Continuity and Resilience
 * CIO Tech Transformation Series
 * CISO Next
 * Cloud
 * Consumer Products and Services
 * COVID-19
 * Cybersecurity
 * Data and Analytics
 * Emerging Technologies
 * Energy and Utilities
 * Finance
 * Finance Transformation
 * Healthcare
 * How To
 * Manufacturing and Distribution
 * Microsoft
 * Nintex
 * Oracle
 * Privacy
 * Risk and Compliance
 * SAP
 * Security
 * Tech Transformation
 * Technology Resilience
 * Technology, Media & Telecom
 * Top Risks Survey
 * Vulnerability/Incidents
 * Workday

Protiviti View  |  SAP BI Blog
 * 
   
   
 * 
   
   
 * 
   
 * 
   


Contact Us

Subscribe to blog

© 2024 Protiviti Inc. All Rights Reserved.

Privacy Policy |  Terms of Use |  CA Business Privacy Notice

 * About
 * Protiviti Home
 * Topics
   * Applications
   * Business Continuity and Resilience
   * Cloud
   * Cybersecurity
   * Data and Analytics
   * Emerging Technologies
   * Privacy
   * Security
   * Risk and Compliance
   * Tech Transformation
   * Vulnerability/Incidents
   * Microsoft
   * Oracle
   * SAP
   * Workday
 * Industries
   * Consumer Products & Services
   * Energy and Utilities
   * Finance
   * Financial Services
   * Government
   * Healthcare
   * Manufacturing and Distribution