Cybersecurity is no longer just a technical issue—it’s leadership’s issue. In the current climate, regulators expect executives to be engaged in the management of cyber risk themselves. But too many organizations aren’t properly prepared for the shift. That’s where appropriate communications come in. Executives must create specific protection intentions and use tools like DoCRA to guide risk-based decisions. Even without the details of the technical nuances, leadership’s role is to decide the level of acceptable harm and how to invest in the reduction of risk. When they do, executives don’t just strengthen their cybersecurity position—they establish an awareness and accountability culture throughout the entire organization.
TRANSCRIPT
You are seeing that regulators and insurance carriers are expecting executives and boards to get more involved in cybersecurity decision making.
A few organizations are ready for this. Right?
Well, executives can make informed security decisions when they have the right communications in place.
For instance, if you were to tell your security team what you are trying to protect and how you would recognize when those things are protected correctly or when they would need repair, you would be giving them what they need to put controls in place to meet those goals.
Organizations have been using Duty of Care Risk Analysis (DoCRA) for this communication.
Executives who use DoCRA don’t get into conversations about how logging and alerting works or whether one method of multi factor authentication is safer than another.
Much like any other part of business, executives are not making technical decisions about details. You You see, in cybersecurity, you get points for the work you do even if things don’t turn out perfectly. This is the principle behind reasonable security requirements found in regulations.
The executives who use a communicate to their team the levels of harm to themselves and others that the company would accept and that they must work toward.
They invest in reducing risks to others but using controls that are not more burdensome than the risks.
And when technicians and personnel know those goals, they can manage to them, and they can report what they need to achieve those goals just like any other part of the business.
Learn more about how companies are doing this by looking at the DoCRA standard at docra.org, by speaking to your account executives at reasonablerisk.com or halock.com, or by going to CIS cisecurity.org and looking at CIS RAM with your security team.
