What kind of cybersecurity governance do you need to anticipate risks and protect your company?

Ensuring the security of information systems in a large organisation is a major challenge.

Only good governance will be enough to reassure general management, clients and partners, shareholders and, ultimately, the general public. In order to achieve this, several initial questions must be addressed:

  • How to define suitable governance?
  • What are the prerequisites for its implementation?
  • And why is it crucial to establish a clear operational vision?

Whether you like it or not, cyber risk will only grow: it is already everywhere today, but with the digitisation of companies, this is only the beginning!  

Building security governance

Today, with digital transformation and the digitisation of physical processes, there are hardly any essential functions left within companies that are independent of their information systems. At the same time, IT threats have never been so costly. Pirating represented as much as €45 bn in 20181. Striking examples, such as Altran and Capital One in 2019, have shown that these cyberattacks can be devastating for both client data, in particular sensitive data, and for the information and financial assets of their service providers.

It is clearly essential for companies to protect their systems. Cybersecurity addresses the challenge of protection and building trust among current and prospective clients. Executives demand the security of the businesses they are responsible for and must have faith in the level of security provided. This is why cyber governance is led by a manager who covers all of the company's business activities.

Depending on the organisation, this may be an IT Security Director, for example. It is the mission of this manager to raise awareness among company executives, according to the environment, present the significant consequences a cyberattack may have on the company's business, value, assets, reputation and even its ultimate survival, and put forward suitable measures to cover this risk. In order to meet these challenges, companies in the digital sector must also introduce 360-degree awareness-raising, both internally and among their clients, with the aim of building a secure framework.  

Raising awareness among employees: a necessity

Security governance cannot exist without the cooperation and involvement of all, and raising awareness among employees plays a central role. As the first point of contact, people are at the root of 75% of security issues2. The various cyberattack methods used expose employees to increasingly frequent risks, which should be prevented by providing assistance to all.

This raising of awareness could, for example, be in the form of micro-learning, via rapid voluntary training units that require a brief effort, which are easily accessible as part of a global training tool, to which the information system security management team can add recommendations for good practices that can be accessed at any time. Awareness-raising can also be top-down, with alerts sent to employees by general management in order to warn them about potential threats and prevent high-risk behaviours.  

Assisting and training clients to use the public cloud

The security challenge is not only based on internal awareness-raising within companies in the digital sector. They now have a new role as providers of assistance, related to deployment of the public cloud as a technology foundation for numerous new projects and growth. While it is clearly a source of new business prospects, the public cloud, which is easier to access than on-premise structures, also opens the door to new security breaches.

For many organisations whose business is wholly or partially based on the cloud, this ease of access and the automation of many parameters provide security, while the Internet access it requires increases the number of potential breaches. If your clients are in this situation and you are assisting them with the deployment of this type of project, you have a significant training role to play in order to secure the organisation as a whole.

Use their internal policy as a basis to determine shortcomings and procedures to be strengthened, and provide training on best IT security practices and suitable solutions to address any breaches. Developing an internal policy, based on awareness-raising and relevant security governance, is the cornerstone of a secure system, for both you and your clients.  

1 Study conducted by Online Society Alliance, 2018.

2 Study conducted by Conscio Technologies, 2016.  

By Majid Alla, Group Chief Information Security Officer, and Matthieu Fouquet, Devops & Microsoft Azure Consultant, at SQLI.