The days of cybersecurity being treated as a technology concern have passed us by. Cybersecurity is now and will remain a strategic business risk. Credit: Dominic Maiden I admit it … I am one of the 143,000,000 people afflicted by the Equifax breach. For those of us who reside in the U.S., that number approaches 60% of all adults, based on recent numbers from the U.S. Census Bureau. Perhaps most unsettling is that failing to perform something as routine as a timely patch produced an event so catastrophic that it cost the CISO, CIO and CEO their jobs. Make no mistake about it, accountability for cyber resilience is in the boardroom and rests heavy on the shoulders of those in the C-suite. This is accentuated by the data from a recently completed study by ISACA and MIT which overwhelmingly confirmed that CEOs and boards are leading enterprise digital technology initiatives.Strong oversight of cybersecurity is now a critical component of organizations’ overall governance of their information and technology, and on that front, there remains some steep hills to climb. ISACA’s new Better Tech Governance is Better for Businessresearch shows that only a little more than half of senior business leaders think their organization’s leadership team and board are doing all that they can to safeguard the organization’s digital assets, and less than half of boards intend to fund a significant expansion of their cyber defenses in the coming year, despite expanding attack surfaces and daily changes to the threat landscape.There is much in the media and literature today calling for increasing technology competency in directors and senior executive leaders to achieve better oversight of what’s happening in the enterprise operations. There are also repeated calls for boards and the C-suite to further invest in cybersecurity and risk management, not only as a path to averting disaster, but as an enabler of the innovation required to thrive within a rapidly changing and increasingly complex technology landscape and regulatory and compliance environment.The answer seems simple enough: recruit some new subject matter experts who can ask the right questions to serve on the board. While this is a good start, there’s still something missing— the fundamental ability to qualitatively and quantitatively measure the capabilities of an enterprise, allowing the enterprise to build its cyber resilience. How to raise all shipsA CISO for a leading global payment company recently shared with me his story of being asked by a director on the company’s Board, “Are we safe?” His response was, “I think so,” to which, the director retorted, “What do you mean you think so?” The story was instructional for me, confirming the need for ISACA and our CMMI Institute subsidiary to work with industry leaders on the development of a risk-based, enterprise-wide self-assessment that presents a holistic view of an organization’s established capabilities to protect and defend itself from cybersecurity attacks. Upon completion of the assessment, a report indicating the current state of the enterprise, including views on how the organization compares to other organizations of similar size, geographic location or industry, will be provided. Assessment outcomes can be used by boards and senior executives to understand the current state, along with a roadmap to improved cyber resilience that can serve as the basis for further risk management-based and business-focused investments. CISOs and board members won’t need to think their organization is safe; they will know it is.With industry and government support, along with stakeholders in our professional community, this assessment can evolve into a community accepted “universal consensus model” to measure progress in our respective industry sectors. Without such a tool, organizations, many of which are struggling to find tech-savvy board members, will continue to operate with incomplete or misleading information to decide how to invest in the equipment, training and personnel required to build and maintain effective security programs. The pressure on today’s executives when it comes to reliable cybersecurity and risk management is significant. The job of leading and managing these critical enterprise concerns is anything but easy. The days of cybersecurity being treated as a technology concern have passed us by. Cybersecurity is now and will remain a strategic business risk that, if properly managed, can fortify an enterprise to effectively and securely innovate. Perhaps the timing is now right for this new ability to measure cyber resilience, thereby creating the rising tide that will raise all ships. Related content opinion The race to secure 5G The arrival of 5G technology introduces a new era of digital transformation. Security can't be an afterthought. By Chris Dimitriadis Mar 26, 2021 4 mins IoT Security Telecommunications Networking opinion 3 ways to speak the board's language around cyber risk Framing the cyber risk conversation in ways that resonate with the board will help close the chasm between cyber risk and enterprise objectives. By Chris Dimitriadis Feb 05, 2021 4 mins IT Governance Risk Management Security opinion SolarWinds hack is a wakeup call for taking cybersecurity action Many questions are yet to be answered as the investigation and response continues, but one thing is clear: managing supply chain risks requires a level of sophistication similar to that of the attackers. By Chris Dimitriadis Jan 06, 2021 5 mins Advanced Persistent Threats Network Security Security opinion Protecting the supply chain in an era of disruptions Supply chain problems encountered during the COVID-19 pandemic brought continuity planning out of the shadows and into the boardroom. By Chris Dimitriadis Dec 07, 2020 5 mins Business Continuity Risk Management Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe