Gartner released their latest information security governance survey this week, showing a really positive trend towards IT security, and indeed security broadly, becoming a board level concern.
Boards are now treating cybersecurity as a business risk – hallelujah, finally! An organisation’s security can only come from identifying what the true risks and threats are to the business’ objectives (strategic, operational, tactical) and making appropriate mitigations to these threats (security controls).
In a world increasingly reliant on IT it’s no wonder so many of the major risks to an organisation come in the form of their information and data, and as such the IT security concerns tend to be around networks and systems. Ultimately IT security is about ensuring the confidentiality, integrity and availability of an organisation’s data and information. Failure to ensure these three key components may create significant board level issues. Reputational damage caused by the release of sensitive information can lead to loss of customers – goodbye trust – and loss of revenue in unbelievably quick succession.
The Gartner survey also reported that cybersecurity is now being seen as an important part of security as a whole. This is because a cybersecurity threat is no longer an abstract IT problem but a part of operational IT and the Internet of Things, which themselves have become so interwoven into organisations that their disruption can cause huge business issues.
It’s no surprise that IT security and broader security are becoming closer. An organisation’s biggest risk is its people – whether deliberate or accidental. Opening infected spam email or releasing sensitive data to the public are just two examples where an employee can cause huge damage to an organisation. These are traditionally an IT problem but they are increasingly being recognised as a generic security problem – and rightly so.
All that being said, do I believe that boards need to be involved in all the nitty gritty of security measures and controls to protect data and information? Absolutely not. But recognising IT security at the board level and ensuring appropriate security governance is a definite yes.