The Importance of Cybersecurity Program Management

The world of cybersecurity has changed drastically over the past several years and will continue to do so in the years ahead.  As cyber threat continues to grow in complexity and in numbers, organizations are faced with the new challenge of having to defend their cybersecurity programs.  This is a relatively new threat in the cybersecurity landscape.  Historically, the question that has been asked of IT security groups is "Are we defending our data and our technical assets?" However, with increasing litigation risk and the rising costs of data breaches, company executives find themselves in front of media, judges and regulatory agencies attempting to defend their cybersecurity programs. Executives and directors have long tasked IT security teams with managing security activity and have placed full responsibility for these groups. In current times, this can now be considered negligent management and leadership. Executive oversight is now an action that is reviewed with scrutiny in the event of a breach. CISO's and IT security organizations have traditionally operated in an autonomous fashion as work is performed and action is taken to protect data and assets. Most often, the leadership team is not always aware of all the activity taking place.  Executives care about the budget and funding of these projects, ask high-level questions and call it good! That is until a significant breach occurs, at which time there is not only the scramble of trying to manage and contain the breach but also provide answers. It should strike a chord with everyone involved that during a crisis would be the absolute worse time to try and gain perspective around the company cybersecurity effort. Whether you are responsible for the program and are attempting to share information or an executive in needing information, it would be much more diligent to have alignment long before the crisis. As we look to the cybersecurity landscape for resources and trends to help guide our actions, note that regulatory agencies such as the SEC, FTC, State Department of Financial Services and others are closely looking at putting regulation over corporate cybersecurity programs.