New Zealand’s Government Communications Security Bureau is encouraging public and private sector leaders to get more connected with the cybersecurity governance of their organisations.
According to a recent press release, the Bureau’s National Cyber Security Centre (NCSC) has produced a resource for boards to help improve cybersecurity governance.
This follows from a study of the cybersecurity resilience of the country’s organisations.
Background of the Initiative
- The NCSC study involved interviews with cybersecurity professionals from 250 of New Zealand’s nationally significant organisations.
- Through this, they were able to assess cybersecurity resilience using measures drawn from a range of security frameworks.
- GCSB Director-General Andrew Hampton explained that the assessment identified a gap between leadership and governance, and cybersecurity practice across many organisations.
- This was one of four focus areas; the others were preparedness, investment and supply chain.
- The NCSC is producing a range of guidance resources as part of the agency’s work to help organisations lift cybersecurity resilience in these areas.
- The guidance resources will help organisations focus their efforts.
- The first of these resources, focusing on improving cybersecurity governance, has been published by the NCSC. Resources in the other focus areas are to follow in 2020.
Charting Your Course: Cyber Security Governance
The governance resource, called Charting Your Course: Cyber Security Governance, sets out six areas that will help focus engagement between an organisation’s governance and its security practitioners.
It defines the principles of a cyber-security programme, provides a holistic view of risk, and provides advice on monitoring security performance.
The resource is intended to primarily support board and executive decision making around cybersecurity resilience and risk.
However, practitioners would hopefully find it useful for supporting their engagement across organisations to achieve their security mission.
The Series consists of the following sections:
- Introduction: Cybersecurity governance
Every organisation’s journey toward cyber resilience will be different. The steps set out in this series provide a general direction of assistance in the cyber resilience journey.
- Step One: Building a culture of cyber resilience
Organisations must develop a culture of cyber resilience.
Everyone in the organisation should feel supported to make decisions that protect the confidentiality, integrity and availability of information assets.
- Step Two: Establishing roles and responsibilities
Clearly defining an organisation’s cybersecurity roles and responsibilities, and establishing who is best suited to performing them, is an important step to achieving effective cybersecurity governance.
- Step Three: Holistic risk management
Effective risk management is a core aspect of governance and must be embedded within an organisation’s overall risk framework.
- Step Four: Cybersecurity collaboration
Successfully translating a cybersecurity strategy and vision into action requires the wider organisation’s support.
This can be achieved by establishing a committee and a working group with representation from key stakeholders across the business.
- Step Five: Create a cybersecurity programme
A cybersecurity programme will help ensure any investment provides the best possible improvement in cyber resilience.
- Step Six: Measuring resilience
The effectiveness of cybersecurity activity should be accurately measured and reported. Measurement and reporting provide the basis for continuous improvement.
The resources can be downloaded here.