Menu
Menu
ISACA: Boards and the executive team must take a leadership role in cybersecurity

ISACA: Boards and the executive team must take a leadership role in cybersecurity

The board must establish risk appetite and accountabilities, and require current and target state reporting of its cybersecurity risk profile, says Garry Barnes of ISACA.

It is critical that business leaders acknowledge cybersecurity is not just an IT problem; it is an issue that affects the whole enterprise, says Garry Barnes, ISACA international vice president.

“Technology plays a vital role in enabling business today,” says Barnes, who is also governance advisory practice lead at Vital Interacts. “However the dependency on IT, and the interconnected world in which businesses operate, brings with it some significant challenges, one of which is cybersecurity.”

Boards and executives must set cybersecurity expectations within the business, he states. “They must ensure the approach being taken by the organisation is aligned with achieving its business goals and regulatory and legal obligations while also addressing evolving cybersecurity risks.”

Related: ‘Security is the biggest issue facing the industry at the moment, not only in finance. It is every industry’: Russell Jones of ASB in this year’s CIO100.

Barnes highlights the roles of the boards and executive teams in the light of the recent ISACA survey in which over 60 per cent of IT professionals in Australia and New Zealand reported they expect a cyberattack to affect their organisation this year.

The regional figures were taken from the 2015 Global Cybersecurity Status Report, conducted last January. Respondents were 3439 ISACA members in 129 countries, with 121 respondents from Oceania (comprising Australia, New Zealand and Papua New Guinea).

Barnes says in setting expectations, the board must establish risk appetite and accountabilities, and require current and target state reporting of its cybersecurity risk profile.

Read more: ‘Disrupt digital businesses before you get disrupted!’

As the world grapples simultaneously with escalating cyberattacks and a growing skills shortage, ISACA believes that it is absolutely essential to develop and train a robust cybersecurity workforce.

Line-of-business leaders, on the other hand, need to be aware that the cybersecurity control framework incorporates technical and non-technical solutions (such as security awareness, end-user practices, vendor management, incident response, and recruitment practices).

Read more: Primed for change

These non-technical areas typically lie outside of the control of the CIO and CISO, and require executives and business managers from across the enterprise to play their part is ensuring an adequate cybersecurity response remains in place, says Barnes.

The ISACA survey shows close to half (46 per cent) of respondents expect their organisation to face a cyberattack in 2015. But the figures are higher locally, with 61 per cent of ANZ respondents saying they expect a cyberattack this year.

This is concerning, since less than half of ANZ IT professionals (43 per cent) say they are prepared for this, likely due to a global shortage of skilled cybersecurity personnel, says Barnes.

Moreover, more than 85 per cent of ANZ members surveyed believe there is a shortage of skilled cybersecurity professionals.

Read more: ‘The CIO holds the most strategic role in the enterprise today, with the exception of the CEO’

Finding and retaining skilled cybersecurity employees is a key challenge, with only 43 per cent of ANZ IT professionals stating the organisation would be prepared to fend off a sophisticated attack.

When asked about hiring entry-level cybersecurity candidates, 53 per cent said it is difficult to identify who has an adequate level of skills and knowledge.

Related: Dr Ryan Ko of the University of Waikato talks about ‘the untrammelled rise of the cybersecurity professional’.

“As the world grapples simultaneously with escalating cyberattacks and a growing skills shortage, ISACA believes that it is absolutely essential to develop and train a robust cybersecurity workforce,” says Barnes.

Read more: Movers and shakers: Claire Govier, Phil Brimacombe, Rick Gibson and Alan Grainer

He says this was one of the drivers for ISACA’s Cybersecurity Nexus (CSX), which was launched last year, to provide resources to support security professionals at every level of their careers.

When recruiting skilled staff, companies must have a realistic understanding of what they can do well and what they cannot in cybersecurity, he states. “CIOs, CISOs and security leaders must revisit the organisational structure and skills of their security teams and IT staffs that have any responsibility for securing information assets.”

“Security practitioners need to understand the relationship between their organisation, its people, its IT assets and the kinds of adversaries and threats they are facing,” he adds. “It is only through this analysis can the right cybersecurity program be designed and implemented where budget, skills, intensity and performance all are balanced at the appropriate levels.”

Send news tips and comments to divina_paredes@idg.co.nz

Read more: SAS Global Forum 2015: Bringing cyberanalytics to the frontline

Follow Divina Paredes on Twitter: @divinap

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events.

Join us on Facebook.

Read more: New executive appointments at SAP, Institute of Directors and ISACA

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the CIO New Zealand newsletter!

Error: Please check your email address.

Tags cybersecurityCIO100ISACACIOS and the board

More about CSXFacebookISACATechnologyUniversity of Waikato

Show Comments