NZ Incident Response Bulletin – June 2024

Our Views:

Cyber Governance – Getting Started

What is Cyber Governance?

Cyber governance refers to the comprehensive approach an organisation takes to manage cyber risk. It involves establishing and maintaining a framework, along with supporting management structures and processes to ensure that cybersecurity strategies align with business objectives. Cyber governance activities include establishing decision-making hierarchies and accountability frameworks, setting expectations for risk appetite and tolerance, establishing oversight processes and procedures, and complying with applicable laws and regulations through adherence to policies and internal controls. In essence, cyber governance is a key mechanism through which a business can achieve cyber resilience.

While we have previously written on this topic, we are seeing an increasing number of client enquiries asking how to properly get started and make good progress.

The National Cyber Security Centre (NCSC) outline six key steps that businesses can focus on to improve their cybersecurity governance. The steps include:

  1. Building a Cybersecurity Culture
  2. Establishing Roles and Responsibilities
  3. Holistic Risk Management
  4. Organisational Collaboration
  5. Creating a Cybersecurity Programme
  6. Measuring Cybersecurity Resilience

Establishing effective cyber governance takes dedicated effort and as seen in the steps above, it encompasses a wide variety of leadership, cultural, procedural, and technological areas. However, getting started does not need to be difficult and we recommend the use of proven policy and plan templates and straightforward self-assessments to simplify this journey.

Why is Cyber Governance Important?

Cyber governance is crucial for several reasons. As cyber risks grow, there is increased concern and scrutiny on companies’ cybersecurity practices from customers, suppliers, investors, regulators, and other stakeholders. Implementing strong cyber governance demonstrates an organisation’s preparedness, resilience, and response capability to cybersecurity incidents and helps to build trust and ensure regulatory compliance. Effective cyber governance will also help mitigate the risks of data breaches, enable faster response to incidents, and provide a better understanding and adaptation to new cyber threats. Additionally, cyber governance aligns cybersecurity measures with business objectives, ensuring that security initiatives support and facilitate the overall mission of the organisation.

How do I start implementing Cyber Governance?

We recommend organisations start their cyber governance journey by gaining a good understanding of their current state. For example: What information is held and needs to be protected? What security measures are already in place? What are your critical business assets? Secondly establishing a cyber security programme that utilises a well-recognised industry framework and set of controls to address the risks identified in your business is essential.

If your business is either at the beginning of the journey or making to look improvements to cyber resilience, we advise completing a self-assessment against the CIS Critical Security Controls (CIS Controls) to enable you to identify key risks, areas of weaknesses, and easy improvements for immediate security uplift. The CIS Controls are a prescriptive, highly prioritised, and simplified set of best practices that can be used to strengthen your organisational cybersecurity posture. As many successful cyber-attacks exploit poor cyber hygiene such as inadequate configuration management, unpatched software, or lack of employee awareness, the implementation of basic security hygiene controls can significantly reduce your organisations cyber risk.

When starting we advise you to:

  1. Understand your target state: The CIS controls allow you to choose an appropriate target cyber maturity level for your organisation, so all actions undertaken are appropriate for your unique business profile.
  2. Start small: An effective cybersecurity improvement program must be realistic and achievable for your business. If resources are scarce, it is important to focus on steady and consistent small lifts in maturity. A roadmap that clearly articulates what, when, who and how the initiatives will be delivered is key to managing this process. Any plan should be evaluated at least quarterly and adjusted based on progress and ability.
  3. Use strong prioritisation: Rather than attempting to implement every cybersecurity recommendation published which can result in unnecessary spend and overwhelm, ensure you are prioritising improvement activities that protect against the latest active attacks in the cyber landscape and those which reflect your organisations greatest risk areas.

By adopting a structured cybersecurity framework, you can begin your cyber governance journey with confidence and start implementing measurable uplifts to your cybersecurity to reduce your unique cyber risk.

About the Bulletin:

The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.

To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.

This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.