People, Process, Technology: A Three-Pronged Approach to Cyber Risk Governance

Navigating today’s cybersecurity landscape is a daunting task. Every day, new threats, vectors, and intrusion methods appear — all while the Internet of Things (IoT) and connected devices further expand the attack surface. 

Many organizations are clearly struggling to deal with the blitz of threats. According to Accenture, 71% of respondents to its 2018 State of Cyber Resilience study, reported that cyberattacks are a bit of a “black box.” Moreover, the Ponemon Institute’s 2018 State of Cyber Resilience report revealed that 57% of respondents believe it is taking longer to resolve an incident.

The common thread? Without a strong cyber risk governance framework, it is nearly impossible for an organization to keep up with all the changes — and the risks — emerging. Technology alone will not solve the problem. The tools and protections of the past are increasingly ineffective in a borderless connected world.

Defense Mechanisms

In this increasingly complex and chaotic environment, it is necessary to establish a more robust framework for managing risk. Best practice organizations focus on three key elements: people, process, and technology.

At the board level, the People part of the equation is all about establishing a cultural framework that focuses on security. This requires communication up and down the organization as well as ongoing education and training. Yet, it also requires an understanding of how the board, senior level executives, and others use, manage, and exchange documents and data.

Process is all about rules, regulations, and oversight. The board has a responsibility to help ensure that an enterprise focuses on appropriate risks — since it is impossible to toss unlimited money and resources at every threat. It is important to recognize how different groups work and give them the autonomy and flexibility to get work done while addressing cyber risk.

Technology involves putting the right systems in place to automate processes and make them smarter and more effective. It is the mechanism for enforcing rules and procedures, as well as detecting threats.


Strategy is Everything

A lack of attention to any of these three factors will inevitably lead to gaps, glitches, and breakdowns. Just as a three-legged stool will wobble if the legs are uneven lengths, a cyber risk strategy will wobble — and perhaps collapse. 

However, when an organization effectively balances people, process, and technology, it is possible to establish a synergistic framework that fully supports cybersecurity. Suddenly, it becomes much easier to match risk objectives with real world tools, workflows, and cultural components that, in the end, lead to a best practice approach to cyber risk governance. 

For more information about the board’s growing role in managing cyber risk, download our eBook, Best Practices in Cyber Risk Governance.

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.

More Related Articles

Sign up for Smart Investing to get the latest news, strategies and tips to help you invest smarter.