Connecting Information Security and Corporate Governance
Lawyers and government are not technically qualified to make cyber governance decisions….
For business leaders who are unwilling to make the governance choices needed to insure security on line, it is likely that someone else will make those choices for them.
That is the all too likely and harsh reality Ryn Melberg describes to the listeners of her weekly podcast. The only podcast of its kind, “The Guardian Podcast with Ryn Melberg” is about the modern world of information work and commerce. It features conversations about better ways to deliver value using Agile, Scrum, Lean, and the Scaled Agile Framework along with issues of corporate governance.
The Guardian Podcast can be heard on her website at www.rynmelberg.com, on iTunes (https://itunes.apple.com/us/podcast/connecting-information-security/id977764101?i=365753826&mt=2) or on Sound Cloud (https://soundcloud.com/harold-nicoll).
Ryn believes that for business and other institutions to be secure in the information age they will have to fundamentally adjust their thinking. “We really have to change our mindset about how we work and why we work,” Ryn said. “Using more advanced ways of thinking and planning work with tools like Agile and Lean will certainly help support the modern world of business and protect stakeholder values. For those who cannot handle more the rigorous governance required for cyber security, you will probably need a new job.”
Who Makes Governance Choices If Leaders Do Not?
Surrendering the right to make governance choices to lawyers or government officials is tantamount to ceding the ground rules used for running a business to people who are not qualified. “We are already seeing a lot of lawyers getting into governance issues,” Ryn said. “Government will follow lawyers, but neither is really that good for business.”
While lawyers may say they are interested in bettering governance rules so ‘no one else has to go through this again’ they are really in business to represent individuals or classes in court. “Their job is to keep you out of jail, not define technical rules of your or any business,” Ryn said. “No one would ask a plumber to do heart surgery. Getting lawyers and congress to make cyber governance rules is even less smart.”
Making Governance Work For Security
According to Ryn, there is no larger threat to people, commerce or government than that of cyber breech. Her recommendations for corporate governance rules are easy to understand, but difficult to implement. “All governance rules for risk management should include a cyber security component,” Ryn said. “For those rules to work will require an investment in IT. Cyber security must become part of everything we do and we need to build cyber security into every process and procedure we have.”
As cyber security becomes part of everyone’s day to day responsibility, Ryn believes that employees must be empowered to take meaningful action to prevent the possibility of a cyber break down. “At Toyota, every worker on the assembly line is permitted to stop the line and halt production if they find a defect,” Ryn said. “Information workers should be similarly enabled to halt work if they believe they have discovered a vulnerability. We should let our code writers throw up roadblocks to prevent cyber breeches or even the possibility of a cyber breech to the point that if someone does not stop the line, they are in trouble and if they stop the line and are wrong, they are rewarded.”
No Universal Standard But….
Ryn suggests that cyber security requirements be added to risk management as part of overall governance. As with all risk management, there is no one-size-fits-all approach, but some basic steps will help build a robust, nimble and practical cyber defense and there is no general standard for cyber security rules of governance currently exists. So where to start? A good place is to find and record what the organization owns and operates. Begin with an inventory of desktops, laptops, tablets, iPhones, printers and any other device that is part of the organizations’ network. “I have found that printers and old fax machines that are still hooked to a network provide vulnerability,” Ryn recounted. “That’s like leaving the doors unlocked and the windows open, but worse because so much more can be compromised.”