Norman Marks on Governance, Risk Management, and Internal Audit

Yesterday, I was reviewing State of Cybersecurity 2022 from ISACA. They surveyed 2,031 people who “hold the ISACA Certified Information Security Manager® (CISM®) certification or have registered information security job titles”.

The results are sad. They include (with my emphasis):

• Sixty-three percent of respondent enterprises have unfilled cybersecurity positions.
• Fifteen percent say they are significantly understaffed.
• Sixty percent of enterprises report experiencing difficulties in retaining qualified cybersecurity professionals.
• The number of survey respondents who believe their cybersecurity programs are appropriately funded increased to 42 percent—a five percentage-point jump and the most favorable report since ISACA began its state of cybersecurity reporting.
• Last year’s declining optimism about cybersecurity budgets reversed course this year, with 55 percent of respondents expecting an increase in funding.
• Although 82 percent of respondents believe their leadership team sees value in conducting a cyberrisk assessment, only 41 percent of respondent enterprises perform an annual cyberrisk assessment.
• 33% perform assessments more often than annually: 8% every 7-12 months; 16% every 1-6 months; and, 9% monthly.
• Despite the high-profile media attention to ransomware attacks during this reporting cycle, cyberattack reporting is mostly unchanged from last year.
• Sixty-nine percent of respondents whose organizations experienced more cyberattacks in the past year report being somewhat or significantly understaffed.
• While there are other more prevalent reasons for cyber staff to leave a company, such as high stress levels (45%), 34% say they are leaving because of a lack of management support.
• Survey respondents’ confidence in the ability of their cybersecurity team to detect and respond to cyberthreats reaches an all-time high of 82 percent — a five percentage-point increase from last year (figure 32). This confidence is remarkable, considering that 46 percent of respondent enterprises have a security staff of just two to 10 individuals. Further, in-house staff fully manage approximately half of their five major security functions (identify, protect, detect, respond and recover), with most of the remainder partially outsourced.
• Only 34% believe that their cybersecurity training and awareness programs have had a strong impact on overall employee cybersecurity awareness in their organization, with 46% reporting some positive impact.

While ISACA, as you can see from the language in the excerpts above, focuses on the positive – the small improvements in a few areas – I can only see a sad state of affairs.

All of the respondents were information security practitioners.

They believe, and this is understandable, that they have insufficient budgets and resources.

Now let’s throw in some additional observations:

• Surveys show that it can take as long as six to twelve months to detect a breach, and three months or more to know what has been affected. This doesn’t compute with the report that 82% say they can detect and respond to cyberthreats.
• Other surveys show that there is a gap in the understanding of cyber-related risk between boards, top executives, and cyber practitioners.
• Management and the board will fund and resource activities they believe add value, giving a desirable return on investment. That return can come from eliminating or mitigating the harmful effects of a breach. The fact that they are not providing the funding and resources practitioners believe is appropriate is telling!
• Consultants (even spreading to the SEC!) are asking boards to improve their cyber technical knowledge and understanding. However, boards need to understand the business, their competitors, the regulatory environment, compliance requirements, and both opportunities and other sources of risk. They also have to be experts in hiring, firing, and compensating executives. They can’t reasonably be expected to have experts on everything!

I have been suggesting that organizations should recognize that providing effective cybersecurity in-house is probably a futile exercise. Instead, they should strongly consider outsourcing as much as they can, with an in-house staff that oversees it, works with the enterprise risk function, and coordinates with management to understand the risk to the business and its objectives.

There is also that constant drumbeat that boards should have a cyber expert. I strongly disagree. I have spoken to board members who have a tech background, even an infosec background, but they cannot keep up with all the new threats and technologies.

Instead, boards should expect management to have the ability to understand – and explain, importantly – the threat that a breach might pose to the business and its success.

The CEO should be able to explain the business risk! If not, he or she has a problem!

So what is this new role for the practitioner?

Help bridge that gap!

• Stimulate more attention on the effective understanding and monitoring of cyber-related risk. By that, I don’t mean risk to information assets – a term loved by NIST and ISO but meaningless to those running the business. I mean the risk to achieving enterprise objectives. Educate the board, management, and the practitioner. Report failures to understand the business risks as itself a huge business risk, and make sure it is discussed at both executive and board meetings.
• Help the CEO and other top executives like the CFO and COO understand cyber risk in business terms.
• Bring practitioners and management together in facilitated workshops to understand and assess how a breach could affect the business.
• Help practitioners set aside their technobabble and replace it with language that makes sense to the business.
• If we believe cybersecurity is underfunded, say so!
• If we believe it is adequately funded, say so – and help the practitioners understand why. Perhaps they are allocating the funding they have poorly.
• If we believe that leadership of cyber and information security needs improvement, say so!

Don’t stand on the sidelines watching failure in motion.

Get in the game.

I welcome your thoughts.