By CPA Phares Chege, and CPA Daniel Njogu
You Should Show How Well the Security Strategy Has Aligned with The Business Objectives
The risk profiles evolve as technology changes, which is ambivalent, as evidenced by emerging new risks, mutations in assessed risks, expanded grounds for exploitation, regulatory and compliance requirements, and business model risk. The predicted global cost of cybercrime is estimated to increase to $23.84 trillion by 2027, from $8.44 trillion in 2022 (Statista, 2024). The rapid evolution of technology has placed cybersecurity policies on shifting sands. Technological development, such as quantum computing’s ability to break current encryption standards, is a threat to organizations’ digital trust. Consequently, regulators have strengthened controls to ensure organizations address risks effectively by imposing penalties for data theft and other compliance requirements (Clifford Chance, 2018). Cybersecurity cases affect digital trust and supply chains. Cybercrime’s costs include data destruction, lost production, monetary losses, theft of personal and financial data, recovery costs, and reputational damage. Cybersecurity was once perceived as an ICT problem, but the board has increasingly realized it is an enterprise responsibility. It is no longer permissible to be a bystander on IS responsibilities and accountability.
Cybersecurity governance and risk management is a defined approach for managing risks that could compromise data, systems, and information systems assets. Cybersecurity governance ensures that cybersecurity initiatives align with the organization’s business strategic objectives. It ensures that an organization has the necessary resources and is in a position to adapt to evolving needs; involves oversight by executive management and the board of directors to establish accountability; and ensures compliance with legal, regulatory, and industry requirements. Cybersecurity risk management, on the other hand, involves identifying, assessing, and prioritizing cybersecurity risks to an organization’s assets, data, and operations; implementing measures to mitigate, transfer, accept, or avoid identified risks; and continually monitoring the threat landscape and the effectiveness of controls. All these initiatives aim to minimize potential impacts from cyber threats while optimizing resource use. It also ensures a balance between cybersecurity controls and business operations effectiveness by prioritizing cyber risks to minimize their impact. This enables organizations to operate within acceptable risk appetite levels.
The goal of cybersecurity governance and risk management is to build cybersecurity maturity. A cybersecurity maturity model can be used to assess and enhance security controls by classifying practices into predefined levels based on an organization’s effectiveness in identifying, detecting, responding to, and recovering from cyberattacks (ISACA Cybersecurity Model, 2024). The model provides a clear roadmap for benchmarking, monitoring initiatives, and continuous improvement in cybersecurity. Just like the product growth cycle, organizations have to map their security programs through a maturity framework to ensure consistent improvement, as demonstrated in the table below:
| Categories | Initial | Developing | Defined | Managed | Optimized |
| People | Activities not staffed or uncoordinated | Characterized by established information security leadership and informal communication | There is some defined roles and responsibilities. | Improved resource allocation on cyber security initiatives, awareness, and clearly defined roles and responsibilities | Organization culture supports continuous improvement to security strategy on skills, process and technology. |
| Process | No formal established security program in place | Basic governance and risk management process and policies. | Established organization wide policies but effectiveness verification is minimal | Formal information security committees, verification and measurement processes are in place | Processes are implemented comprehensively based on risk assessment and quantitative valuation |
| Technology | Despite security issues, there is no controls in place | Some controls in development with limited documentation | More controls are established and documented but there is over reliance on individual efforts | Controls are monitored, compliance measured but automation levels are uneven | More comprehensive controls are in place, automated and subjected to continuous improvement |
Source: ISACA. (2024, October 7). Accelerating cybersecurity maturity by quantifying risk. AtISACA Volume 19
Strong cybersecurity governance and risk management promote the development and implementation of clear policies to enhance an organization’s incident response potential. It enables the organization to realize security investment returns by building the current and future value of the business. It also ensures that vendors offering Information Systems services are managed, as the risk consequences cannot be outsourced. Awareness of all devices attached to an organization’s network is important, as a single weak link can allow threats to exploit a vulnerability. The Internet of Things (IoT) has proliferated smart devices, creating more opportunities for attack.
One of the most common models of cybersecurity governance has three lines of defense (Bongiovanni, I., et.al 2024). The first line is the business unit that owns and manages risks; the second line coordinates risk identification and monitoring; and the third line provides independent advice and assurance on the adequacy of the first two lines of defense. External IS audit assurance complements the role of internal audit. They provide cross-industry knowledge for effective cybersecurity management. The audits are performed by professionals with an in-depth understanding of the organization’s operational context, including its business culture, systems, and processes.
The opponents of the Three Lines of Defense claim it is too slow for decision-making, especially for businesses operating in an agile environment, such as banks. The Three Lines of Defense are also deemed to focus solely on cyber risk management, without explicitly recognizing the responsibility of executive management and the board in IS governance. Many organizations place IS function accountability within the IT function (ACCA et al., 2019). These weaknesses have led to the proposed revision of the Three Lines of Defense model to five lines of accountability: the business unit, control and monitoring, assurance and advisory, executive management, and the board (Bongiovanni, I. et al., 2024).
The organization should take advantage of available technical training opportunities to ensure that staff, management, and the board are up to date on IS. It is not that everyone should be an expert, but we should acquire sufficient competence in IS to assess and manage risk in our line of duty. Significant threats may not be addressed if IT, operations, finance, and executives view IS only through their professional lenses. Assumptions increase vulnerability. There are always the so-called “zero-day exploits” that can expose even organizations that are said to be well prepared and resourced. Resilience planning is critical because of uncertainties about how and when an attack will occur.
Aligning security with business objectives is imperative for holistic cybersecurity governance and risk management. The following approach may help in putting this into practice:
i. Understand the core purpose of the business and its goals
Understanding the structure, organization, culture, and business operations is important during the induction of new employees. Awareness of what matters to the business guides in mapping security controls and strategizing.
ii. Identify key stakeholders and design a collaborative communication strategy
Lobbying for business support by identifying stakeholders who understand the risks and their role in risk management is a critical factor for success.
iii. Ensure risk methodology aligns with business goals
Risk management strategy must be tied to business goals and the regulatory environment. This will help you develop security controls that address risks while aligning with business priorities.
iv. Always ensure staff awareness and support
Educating staff about cybersecurity measures and practices, including phishing, password hygiene, data protection, and management of human error risks, is imperative. To succeed, you must ensure the staff understand how the cybersecurity risks affect them and the business. This helps in winning their attention and support.
v. Give feedback to your stakeholders
You have to show how well the security strategy has aligned with the business objectives and how much it has improved business performance. Quantum physics experiments posit that if you cannot measure, it does not exist. A communication and collaboration strategy must include measurable metrics. Reporting demonstrates security strategy business sense, making it easy to collaborate with the business to improve the security posture and effectively maintain controls.
In summary, for a successful security or risk professional, aligning security strategy with business objectives is critical. Collaboration with business makes security a shared responsibility across the organization. This reduces problems in lobbying for executive and business-level buy-in, support, and budget in security initiatives.
Reference
Association of Chartered Certified Accountants (ACCA), Certified Accountants Australia and New Zealand (CA ANZ), Macquarie Group Limited, Optus, Cyber and the CFO, UK, May 2019.
Bongiovanni, I., Slapničar, S., Axelsen, M., & Stockdale, D. (2024). The three lines model in cybersecurity governance and risk management. ISACA Journal, 1(2024).
Clifford Chance (2018), ‘Cyber Security – What Regulators Are Saying Around The World’ accessed 25 April 2019
ISACA. (2024, October 7). Accelerating cybersecurity maturity by quantifying risk. AtISACA Volume 19. https://www.isaca.org/resources/news-and-trends/newsletters/atisaca/2024/volume-19/accelerating-cybersecurity-maturity-by-quantifying-risk
Statista (2024). Estimated cost of cybersecurity worldwide 2027-2028.
CPA Phares Chege CIA, CISA, CRISC, CDPSE is an Audit and Risk Management practitioner and trainer with over 21 years’ experience in Public and Private Sectors. He is Head of Internal Audit at Kenya Revenue Authority.
Email; [email protected]
CPA Daniel Njogu CIA, CISA is an Audit and Assurance professional with a passion in Research in finance and public policy. He is an Internal Audit Supervisor at Kenya Revenue Authority.
Email; [email protected]
