An important aspect in the management of cybersecurity within organizations is the handling of the issue at the level of top management, boards and executive leaders.
It can be stated that the trend that has prevailed for a long time has been to treat cybersecurity risks differently from other risks facing the organization: in other words, the apprehension of cyber risk was often decorrelated from the overall risk management of the company, cyber risk having therefore been confined to a technological approach, limiting information systems security to a support function.
In general, it appears that company directors and their boards of directors make sound efforts in risk management with the implementation of robust processes for compliance, financial risks or even merger operations and acquisitions. On the other hand, the implementation of robust controls for cybersecurity of their company’s operations has often remained the poor relation of global risk management. We may therefore highlight that cyber risk was certainly considered to be a weaker strategic threat than financial risks or compliance risks.
It is questionable whether the explanation for this underestimation of the risks posed by cyber threats and the inadequacy of good processes for monitoring cyber risks as part of corporate governance is linked to the lack of knowledge of cybersecurity issues at the executive and board level. Because in the end, cyber risk can no longer be seen as a simple technical problem: it is a key element of enterprise risk management, which requires real monitoring at the level of top management and boards, and all the more so that cyber risks have significant legal ramifications, which can ultimately engage the responsibility of the company Top management.
What is more, the Top management remaining the embodiment and giving impetus to the culture of the company, by self-appropriating the issue of cybersecurity – and therefore by example, executives can send a clear message to employees, according to which the management of cyber risk in the organization is not an obstacle to the conduct of operations nor a simple compliance tool but on the contrary it is an integral part of the strategy, culture and corporate business.
It is therefore a question of stimulating, promoting and actively developing a corporate culture taking into account the issue of cybersecurity. As we know, the weak link in cybersecurity remains the human factor, for which a necessary awareness and an essential work of awareness-raising but above all of adherence to the principles governing the management of cybersecurity internally remain essential. This therefore implies that Top management and executives be clear with their posture in the face of cyber risk and more broadly with the risk culture of the organization they lead. They are in fact responsible for defining, communicating and enforcing within their organization a culture of risk which influences, guides and aligns the company’s strategy and objectives in a coherent manner and which thus promotes integration of risk management processes in their organization and therefore with their employees.
I welcome your thoughts and comments.