By Derek Smith Jr
There are arguably two prominent problems with cybersecurity governance – the misrepresentation of cybersecurity risk at c-suite and board of director levels and the underrepresentation of women in the industry. The pressure to secure businesses against cyber incidents and more importantly, cyber breaches is immense. It is crucial that your organization’s approach to the risk of cybersecurity is thorough and representative of today’s challenges while anticipating tomorrow’s cybersecurity needs. One of the key obligations of risk and compliance professional is to ensure that a business’s objectives and cybersecurity framework are aligned and take into effect the local and international laws governing their industry. The aforementioned may be disconnected due to misconceptions.
Elena Kvochko, a contributing writer at Forbes in her article ‘How to make cybersecurity more approachable’ wrote: “Security knowledge can make or break a career. While industries have evolved from awareness to implementation and specific guidelines, there are still a lot of misconceptions. Not understanding the inner workings of technology is no longer an option for executives.”
I submit, one such misconception is that information technology (“IT”) is synonymous with cybersecurity.
Their priorities, skills needed, and responsibilities are different, and many times compete. IT is concerned with the functionality of hardware, software, and the network. Conversely, cybersecurity addresses the security of digital information. IT establishes controls versus monitoring of the controls to ensure they work as intended by cybersecurity. IT training is centered around new hardware, software, and solutions compared to cybersecurity training encompassing staying up to date on new threats, developments, and risks that are constantly emerging.
The misconception above can inadvertently cause issues because the incorrect role may have a seat in the boardroom.
Here is why:
Without understanding the components of governance, corporate structures may be built with flaws. The compliance professional must assess the corporate landscape and provide through the board and c-suite training the need for segregation of IT and cybersecurity. Information technology/systems governance is the responsibility of the Chief Information Officer (“CIO”) who is sometimes called the IT Director or Head of IT. Some organizations even go to the length of splitting the role of CIO from that of Chief Technology Officer (“CTO”). On the contrary, Information Security (InfoSec) governance is the responsibility of the Chief Information Security Officer (“CISO”). If your CISO reports to your CIO or CTO, you may have a problem. If you are a board member and you have just identified that you have a structural problem, now is always the best time to correct it.
Underrepresentation of women in the industry
Statistics from gender gaps in employment produced by Poster in 2018 show that women account for less than 20% of all cybersecurity professionals worldwide. This is an unacceptable statistic in one of the world’s top careers in 2020. The misconception that technology is a masculine career is outdated and this image must change. Addressing this disparity of women vs. men within the cybersecurity space will assist with decreasing the projected skills gap within the industry.
“It’s estimated that the number of unfilled cybersecurity positions will grow to a staggering 3.5 million by 2021”, noted Sarah Hospelhorn in her Varonis.com article on May 20.
In conclusion, as Cybersecurity Month continues, it is imperative that the gap in gender representation in the field is shortened by conscious efforts by boards and c-suite leaders to proactively recruit, train and promote women in the cybersecurity workforce.
Moreover, clarity must be achieved at the board of directors and c-suite levels on the inclusion of the CISO outside of the CIO at executive levels or the incidents and breaches will continue to rise.