About 20 years ago, when a floppy disk was a popular type of data storage, business data protection and security strategies were simple: keep one or more spare copies of the data stored on the floppy disks, regularly backup your file servers, and make sure that the computer guys in the office install a good antivirus program on every computer to scan and quickly remove any malware. The time when you could buy a floppy disk at an office supplies store is long gone, but the business data governance philosophy they inspired lives on. According to the latest McKinsey report, only 16% of executives said that their companies are prepared to deal with cyberrisk.
There has been a lot of talk in the media about business data being the new oil or new currency. I want to add some color to these metaphors to help bring a key point home. In 2005 Harvard Business Review article, Jim Goodnight, the CEO of SAS Institute, in one of the most humanistic corporate leadership proclamations of modern times wrote: “SAS recognizes that 95% of its assets drive out the front gate every evening. Leaders consider it their job to bring them back the next morning.” Today, when leading global banks talk about replacing up to half of their operations workforce with robots, human creativity and talent are as important as ever, but the 95% ratio that Mr. Goodnight talked about has shrunk to about half to accommodate the rapidly growing value of business data, which unlike the human workforce should not leave the authorized perimeter of your organization—not in the evening and not ever.
Today, at least 50% of all your business assets are your business data. It is your CEO’s responsibility to make sure that it does not leave your organization unnoticed and without proper authorization.
The CEO is fully responsible for business data security and not the IT department. It is the board, the organization’s governance body, not the system admins or the business data owners, who have full accountability for protecting the business data. Old notions are often quite sticky and hard to set aside, especially if they convey a certain sense of innocent simplicity, yet the era of floppy disk IT risk governance is long gone. According to ISACA, a recognized global authority of sound IT risk governance practices, to start moving in the right direction, the first crucial step is to adopt a comprehensive framework to guide and periodically assess your organization’s journey of IT governance and IT risk management maturity. Leveraging its acquisition of Carnegie Mellon University’s popular Capability Maturity Model (CMMI), ISACA now offers a board-level program to help organizations’ governance bodies progress through the five levels of cybersecurity and IT risk management capability maturity—from Incomplete (Level 0) to Optimized (Level 5).
A recent “State of Cyber Security Report” published by the InfoSec Magazine concluded that, “There is better awareness at board level about cybersecurity and seeing it as a business risk and not only an IT risk.” This is great news, but celebrations are might be a bit premature, if your board members still believe that cebersecurity and IT risk management are something that the IT folks do.