When you examine technology risk, you鈥檙e talking about IT. But when you talk about cyber risk, the ownership and accountability live outside the technology department. The trend we see in the direction and magnitude of cyber-based regulations is moving toward a more holistic approach, focusing on business priorities and responsibilities, such as customer-oriented business activities like building trust; middle- and back-office operational tasks; and Board-driven corporate governance functions. In short, the focus is on management within the first line of defense, as it should be.

The landscape as we see it

In 2020 and beyond, we expect to continue to see increased regulation on a variety of topics from a variety of regulators. In Asia, specifically, we鈥檝e seen new regulations around cyber security where they鈥檝e actually used the word 鈥渃yber.鈥� Previously, the regulations in that region used the word 鈥渢echnology,鈥� which had an IT connotation. The increased precision is a welcome development.

With so many countries having issued rules to comply with certain elements of the General Data Protection Regulation (GDPR), or their own privacy laws, we鈥檙e seeing鈥攅specially with larger multinational companies鈥攖he creation of new, proactive data management departments. Essentially, businesses are looking to master data analytics as a discipline and understand not only where the data is located across the organization, but also who owns it, what鈥檚 being done with it, and, perhaps most critically, what rights and permissions users have in relation to that data.

Companies are recognizing the need for additional investment, not just in tooling and process development, but in terms of a lack of cyber talent, from cyber governance and risk strategy to configuration and maintenance. There鈥檚 still a large gap in this space, and, unfortunately, many companies hire IT professionals who lack cyber security perspective in relation to the regulatory environment. The result is advice that is often ineffective or well-intentioned but misunderstood or inadequately implemented by management and the board.

What we believe you should do about it

Regarding the three lines of defense model, we suggest embedding the responsibilities of cyber security, as well as the role of the CISO, in the first line鈥攑referably formally鈥攁nd linking these tasks to annual performance targets. The CISO role, at its core, should reside in the first line to cover security strategy and vision, and he or she should have a clear hierarchical or at least functional alignment with security operations regarding daily monitoring and tool configuration.

The second line (i.e., IT risk) should support design quality and resiliency policies and standards, and report back to management and the board. The third line would review and assess the work of the first two lines. This optimal state seeks to extend the company鈥檚 cyber security needs, including regulatory compliance, across the entire organization.

We also believe it鈥檚 critical to institute ongoing testing of your regulatory compliance program in terms of design, implementation and effectiveness to identify where improvements are needed. Also, ensure operational cyber resilience is embedded into your overall architecture and processes to solidify security for both IT and OT.

Appoint an individual who is not strictly an IT person to oversee regulatory compliance. In fact, new CISOs should become more comfortable speaking the language of business in order to ensure his or her messages are understood and executed. This individual should have a broad mindset regarding the company鈥檚 operating model鈥攁 Chief Risk Officer, Chief Financial Officer, or Deputy CEO would be ideal because they also have perspective on the company鈥檚 overall risk agenda. This individual would be the sponsor or champion for cyber security across the entire organization, working in close partnership with the Chief Operating Officer and CISO.

Take the time to unify all of your regulatory requirements, from internal controls and policies to the various regional and country specific regulations, into a single Unified Control Framework to help enhance the effectiveness of your internal governance, risk, compliance, and testing efforts. Look for synergies between the controls demanded by privacy, resilience, and security regulations鈥� you may be surprised by what you find.

Companies are encouraged to shift their focus from systems and technology to information. Pinpoint what it is that makes you competitive in the market. It could be intellectual property, or your supply chain, or your pricing power. Whatever it is, that鈥檚 what you need to protect from a cyber security perspective.

 

 

_{The excerpt was taken from 乐鱼（Leyu）体育官网 article, All hands on deck: Key cyber security considerations for 2020鈥�.}