According to www.businessdictionary.com, governance is defined as “the establishment of policies, and continuous monitoring of their proper implementation, by the members of the governing body of an organization.” Addressing governance is often a good first step for new endeavors and cybersecurity is no exception. The size and reporting structure of a firm will have a great bearing on the firm’s governance of cybersecurity. For example, governance is straightforward in a one-person firm, but very different in a large firm.
The Cybersecurity Czar
One of the challenges of cybersecurity is it spans multiple business areas within a firm, which include but are not limited to information technology (“IT”), operations, and compliance. There are advantages to appointing one person to be responsible for the oversight of cybersecurity (the cybersecurity czar.) By assigning responsibility for cybersecurity, and delegating the authority to act, a firm will have identified and addressed a specific need. Importantly, the Cybersecurity Czar does not have to be someone that works in compliance, and the position does not require expertise on technology; however, a deep understanding is very helpful. Actually, the cybersecurity czar should be, when possible, someone from senior management, since that is someone who knows the firm’s business and they have the authority to make certain important decisions that come up from time to time. For situations that require more expertise or the senior manager is not able to devote enough time for certain administrative functions inherit in the oversight, the firm can consider utilizing an outside service provider.
The Cybersecurity Committee
The cybersecurity committee generally serves as a working group, and its members are critical to its success. First consider whether the firm has the personnel knowledgeable enough to effectively govern cybersecurity or whether one or more external persons should be invited to serve as committee members. For example, if the firm outsources their IT function, they may want to consider someone from the IT vendor to serve on the committee. Internally, one or more senior managers should be included, along with individuals from IT, compliance, finance, client servicing, and operations, as applicable to the firm’s size and structure. Also, the Cybersecurity Committee should have a written charter to outline the powers, purpose and responsibilities, along with an effective leader appointed as the chairperson.
Once the governance structure is in place, the next big step is to perform a cybersecurity assessment. Stay tuned for next week’s blog that will discuss this process and provide helpful tips.
Core Compliance Can Help
Implementing a robust Cybersecurity program is a daunting task and establishing a cybersecurity governance structure is the first important step. Core Compliance & Legal Services, Inc. can help as our team members are well versed in this area and can assist firms with determining the best approach. We also can provide guidance on what governance steps should be taken and even assist with performing such steps. For more information, please contact us at (619) 278-0020.