Cybersecurity Governance: Best Practices for European Companies

Cybersecurity governance is a strategy to coordinate cybersecurity activities that integrate with organizational operations with oversight from executive leadership. According to the research by CESIN (French Information and Digital Security Experts Club), a majority of executive committees are now willing to put cybersecurity at the forefront of their governance strategy. As the regulatory landscape in Europe evolves, cybersecurity governance is becoming a priority.

Christophe Forêt

An article from

Christophe Forêt
President and co-founder of C-Risk
Published
November 9, 2023
Updated
November 9, 2023
Reading time
minutes
cybersecurity gouvernance - C-Risk

What is cybersecurity governance?

Cybersecurity governance is all about company directors’ empowerment to make decisions around cybersecurity policy.

Definition of cybersecurity governance

Different international standards like COBIT and ISACA offer differing definitions of cybersecurity governance. In the larger family of ISO 27000 standards, ISO/IEC 27001 defines the principles of implementing an ISMS (Information Security Management system), while governance of the security of information has its own norm, ISO/IEC 27014-2020. In turn, the ISO (International Standards Organization) and IEC (International Electrotechnic Commission) define IT governance as “concepts, objectives, and processes [...] by which organisations can evaluate, direct, monitor, and communicate the information security-related processes”.

Cybersecurity governance forms a large part of conversations in business, as the stakes now come under the responsibility of the highest levels of an organization. While IT security once fell under the remit of technical and operational teams, nowadays, higher levels of management are getting involved, with key players like CSIOs, CIOs and CROs bringing the subject to senior and general management.

To summarize, cybersecurity governance represents all the decisions that an organization must make in order to secure its IT and information systems.

What is the use of information security governance?

Cybersecurity governance should, before anything else, focus on managing cyber risks – anticipating potential cybersecurity threats to estimate and limit future financial loss. This loss depends largely on a given company’s tolerance to risk; the undesirable outcomes – or financial losses – it is willing to suffer.

At C-Risk, we recommend analyzing risk based on quantifiable and mathematical criteria, such as those laid out by the FAIR™ (Factor Analysis of Information Risk) standard. The resulting actions to be taken in order to manage a cyber risk can be divided into four categories: dealing with it, avoiding it, reducing it, or transferring it.

Who should be involved in IT governance?

As explained above, and as the name suggests, cybersecurity governance falls, first and foremost, under the remit of senior management. Executive committees and boards of directors are the central figureheads in decision-making. Although CIOs are no longer the central players when it comes to cybersecurity governance, they still play a key role in creating awareness and offering support to company directors.

In terms of businesses, none really escape the necessity to define their information security governance – since its aim is to anticipate and regulate cyber risks, this governance affects companies of all sizes.

Let us not forget that cyberattacks have sharply risen since 2020, and in 2018, CESIN research further showed that 92% of businesses had experienced at least one cyberattack. Furthermore, the significance for small businesses cannot be overstated as they are the structures that are the least likely to be well protected, therefore making them easy targets for hackers and other cybercriminals.

Cybersecurity falls under the jurisdiction of general management

Transform how you model, measure, and manage cyber risk.

Discover how our CRQ Solutions can help you quantify and mitigate your cyber risks.

Learn more

Why implement cybersecurity governance?

CESIN’s research published in February 2021 demonstrates that the most important challenge identified by businesses in 2020 is around integrating effective cybersecurity into governance. So much so that 60% of participants in the study said it was the most important factor, while 72% expressed that they were more confident with high level management taking charge of the topic.

Indeed, implementing cybersecurity governance places IT at the heart of company strategy, thereby making it more logical to invest in other related areas:

  • employee awareness around cyber risk and how human vulnerabilities contribute;
  • allocating sufficient resources to cybersecurity;
  • increasing dedicated staff;
  • acquiring software that better protects the company from cyberattacks (this was cited as desirable by 85% of CESIN participants).

That being said, developing effective cybersecurity governance brings with it its own network of challenges, such as:

  • the fear that a cybersecurity policy will slow down company digitalization;
  • the constant updating and renewing of regulations, forcing regular updates to IT security governance;
  • a lack of experts in cybersecurity jobs;
  • the fact that CISO budgets and resources are in bad shape, and CIOs’ teams are under-staffed;
  • the under-funding of departments dedicated to IT security;
  • analysis methods being too subjective and therefore biased.
Cybersecurity governance requires collaboration between several partners

Implementing cybersecurity governance

The risk management method that C-Risk uses relies on companies’ willingness to distance themselves from subjective and therefore imprecise approaches to managing risk. Applying the method to cyber governance therefore allows for IT policy decision-making to be guided by the quantifiable probabilities of cyber risk-related financial loss.

This method breaks up the responsibility for cybersecurity governance into three “lines of defense”:

1) The first line of defense consists of defining the limits of operational responsibility of cyber risk. Generally, this revolves around those responsible for business processes and technical monitoring of the IT system. This line of defense deals with day-to-day incident detection and avoidance, and also sometimes covers company risk and vulnerability analysis, and monitoring of the tools put in place by the first line of defense. It is also a point of contact between the first and second lines of defense.

2) The second line of defense covers managerial roles involved in internal cyber risk management, as well as questions around legal compliance. It is responsible for defining the policies, processes, and standards used. It is also at the centre of checking and monitoring the actions of the first line of defense. Generally speaking, the second line of defense covers the roles and responsibilities of the CISO and DPO (data protection officer).

3) Internal and external auditing make up the third line of defense against cyber risk. In reality, this is an independent validation of the first and second lines of defense, and is carried about mostly by high-level management every six months or every year.

These three categories of partners interact with each other to define solid IT security governance – policies and procedures capable of detecting, preventing, and responding to cyber incidents, in order to limit any damaging consequences.

3 lines of Defense Governance Model

CISOs support data-driven cybersecurity governance

A CISO bridges the gap between cybersecurity operations and executive leadership. It is role the exists between strategic and operational. By establishing a data-driven cybersecurity strategy and fostering a risk-aware company culture, CISOs ensure that cybersecurity activities are proactive and aligned with business objectives. Regular reporting on KPIs, cyber incidents and remediation, and cybersecurity regulatory compliance empowers the board to make informed decisions on cybersecurity governance activities as well as security investments.

Cyber Risk Quantification through Financial Metrics with SAFE One

To strengthen cybersecurity governance, CISOs are turning to data-driven solutions that quantify cyber risk in clear, financial terms. SAFE One from Safe Security, empowers organizations to augment their traditional, qualitative risk assessments with a quantifiable, financially focused approach. SAFE One helps CISOs measure cyber risk by assigning a dollar value to potential cybersecurity risks, giving leaders a concrete understanding of their exposure and potential losses.

If you would like to bridge the communication gap with Cyber Risk Quantification, contact us for more information.

FAQ : Cybersecurity Governance

What is cybersecurity governance?

Cybersecurity governance is governance dedicated to IT security and protection from cyberattacks. We talk about ‘governance’ because cyber risk is a major challenge in 2022 which concerns businesses of all types and sizes, therefore requiring an overarching policy.

Why is it important to develop effective cybersecurity governance?

Cyber risk has become very strategic for businesses. It is no longer about individual company departments, so it is necessary to adopt IT security policies that are capable of covering both legal and financial stakes.

Can we talk about cybersecurity GRC?

GRC (Governance, Risk, Compliance) is a global approach to risk, overlapping with its implications in terms of company strategy and regulatory compliance. This makes it a perfectly adapted approach for managing cyber risk.

In this article
Improve decision-making with Cyber Risk Quantification

We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.

Book a free strategy session

Related articles

Read more on cyber risk, ransomware attacks, regulatory compliance and cybersecurity.

See all articles
company investment - C-Risk

Company Risks

Secure your company's investments: innovative solutions to manage cyber risks and protect your business.

Christophe Forêt

12/9/2022
budgetary challenge CISO - C-Risk

CISO Budget Challenge | C-Risk

Explore the key strategies to optimize cybersecurity spending while addressing emerging threats

Christophe Forêt

17/10/2023
FAIR standard - C-Risk

The Open FAIR™ 2 Foundation Certification | C-Risk

Demonstrates that you have gained knowledge of the terminology, structure, and basic concepts of FAIR with the Open Group FAIR™ 2 Foundation Certification

Melissa Parsons

1/10/2024

C-Risk is a recognized expert in Cyber Risk Quantification using the FAIR™ methodology. We provide CRQ solutions, advisory services and training.

Our services
CRQ as a ServiceCRQ Enablement ServicesCRQ Consulting & Advisory Services
Our solutions
SAFE One CRQ PlatformSafe One Third-Party
C-Risk Education
CRQ TrainingCRQ E-learning
Use cases
Communicate to the Board & Executive ManagementThird-Party Risk ManagementMerger & AcquisitionOptimize Cyber Insurance CoverageSize, Allocate and Justify an Infosec BudgetFacilitate Regulatory ComplianceCISO Top Risks and Controls Prioritization
Resources
BlogNewsVideos
Company
About C-RiskCareersPartnersC-Risk in the News
Your role
Executive ManagementCISORisk Professionals
Contact
Contact us
Language
Created by Sales Odyssey
Legal noticeData Privacy