Getting started with cybersecurity governance

by: Gil Genio, FICD

ICD Fellow

Institute of Corporate Directors

Board directors and executive management are focusing more time on cybersecurity threats and how to mitigate such risks. Cybersecurity governance is a trending topic given that there are almost daily headlines on cybersecurity breaches, fines being levied related to unauthorized customer data leakage, financial losses, and even ransomware events. Information security, cybersecurity and data privacy are complex and ever evolving topics, requiring organizations to constantly assess and update their defenses and incident response procedures. Bad actors try to find you (known as an organization’s “attack surface”), compromise your users and their devices, and once inside, try to find other vulnerable users and devices or servers. They even attack you through your supply chain. But what exactly does “cybersecurity governance” mean for board directors? And how can an organization make sure that they have the right elements to mitigate cybersecurity risks? I can offer some advice given my experience as a telecom executive that included overseeing the information security and data privacy team. And as a board director, I can suggest some important questions the board needs to ask and suggest what organizations must implement: 

1. Has the organization adopted a globally accepted cybersecurity framework? Frameworks such as that of US-NIST are helpful in ensuring the completeness and robustness of risk mitigation. And with the rise of hybrid work, has the organization adopted the concept of “zero trust”?

2. Has the organization evaluated or determined what are its most important proprietary commercial or customer assets? Manufacturing, retail, telecom, energy, healthcare, financial services organizations will have different assets critical to their operations, compliance and reputation. Continuing cybersecurity investments need to be directed towards protecting the most critical assets.

3. Does the organization perform regular vulnerability assessments? These assessments often involve engaging third parties to assess weaknesses from outside the organization (mainly through the internet), but also to assess vulnerabilities created internally (such as poor software development practices, IT infrastructure configuration, or employee behavior). And when starting out on this cybersecurity journey, has the organization performed a compromise assessment? This involves a deep scan of technology assets, including links with partners, to determine if there are indications that bad actors have already penetrated the organization.

4. Does the organization prioritize its cybersecurity investments in software, platforms, procedures, and talent upskilling, by matching its vulnerability assessment with its view of the most critical assets to protect? Many organizations soon realize that investments will never be enough, and therefore must ensure that they meet minimum safeguards, that they are prioritized, and that such investments have to be made over several years. Priorities may also be adjusted regularly as new threats and vulnerabilities arise. “Dwell time”, which measures the time from discovery going back to when an issue started, needs to continually decrease. (In Mandiant’s M-Trends Report 2023, Asia Pacific median dwell time worsened to 33 days.)

5. Does the organization track investments, action plans, procedure changes and talent regularly, to ensure continued progress in mitigating cybersecurity risks? Often, risk mitigation happens over several years, and is constantly re-evaluated as new threats arise, or new capabilities are acquired. Of particular concern is the global war for talent in cybersecurity, and organizations need to make difficult choices about talent hiring, upskilling, and complementing with third parties and modern technologies such as AI-driven security software. 

6. Does the organization have access to early warnings if there are newly discovered vulnerabilities, or if its defenses have been breached, or if its supply chain has been compromised? Usually provided by third parties, such “threat intelligence” is an important part of an organization’s toolkit.

7. Does the organization have a “push button ready” response team and procedures involving internal or external parties, in case cybersecurity breaches do occur? Are these tested regularly to ensure rapid response? “Contain time”, which measures the time from discovery to remedy, should constantly decrease. 

In cybersecurity, they say that an organization needs to be lucky all the time, while an attacker needs to be lucky just once. There is no technology, software, platform, vendor, framework or response team that can guarantee that no breaches occur. But board directors and executive management can limit the impact to an organization, which is the essence of sound risk management. Or as they say, hope for the best but prepare for the worst.

Gil Genio is a retired Ayala and Globe executive.  His last role was Globe’s Chief Technology and Information Officer (CTIO) from 2015 to 2021, which included the Enterprise Data Office, and Information Security and Data Privacy.  He is currently an Independent Director at publicly listed companies GT Capital Holdings (GTCAP) and Puregold Price Club (PGOLD).  He is a member of the Management Association of the Philippines and a Fellow Member of the Institute of Corporate Directors.