IT GOVERNANCE | GREEN PAPER

Cyber Security

An issue for the board

Protect Comply Thrive

IT GOVERNANCE GREEN PAPER | FEBRUARY 2019
“While cyber security used to be considered an issue primarily for
the IT department, these days it is a permanent agenda item for
the entire C-suite – one that we are all responsible for.”
The above quote sums it up1: IT governance has to come from senior management
– something that is becoming more important by the day, but still not standard
practice.
PwC found that just 44% of corporate boards actively participate in their companies’
overall security strategy, showing that many boards still consider it a matter for IT.2
This is in line with Ernst & Young’s study, which found that more than half (55%) of
surveyed organisations do not make protecting themselves a key part of
their strategy.3
In better news, the same Ernst & Young study found that cyber security budgets
for both 2018 (53%) and 2019 (65%) are increasing. And rightly so: the risk of
compromise – as well as the risk of significant harm to the business itself – is
growing.
Why discuss cyber security at board level?
Technology is an integral part of business
62% of CEOs surveyed by Gartner say they have some sort of management initiative
or transformation programme to make their business more digital.4 Moreover,
the rapid – and still growing – adoption of and reliance on new technologies,
such as the Cloud, machine learning and AI, has created more opportunities than
ever for cyber criminals. Cyber security should therefore be an integral part of an
organisation’s overall strategy.
2
A growing body of legislation
As Dani Michaux from KPMG points out, “Cyber security has become a mandatory
boardroom topic, particularly as governments and regulatory bodies increase their
scrutiny”.5 The significant fines that organisations can face from failing to comply
with, most notably, the EU’s General Data Protection Regulation (GDPR) should
naturally make cyber security and data protection board-level concerns.
Setting the right example
Showing that cyber security is taken seriously at the top helps enforce a security
culture among employees. As people are your first line of defence – and as human
error is one of the most common causes of data breaches and other security failures
– you should make every effort to ensure every member of staff takes their security
responsibilities seriously.
The possible impact and cost of a cyber incident can
be severe
Data breaches and cyber attacks now receive more media coverage. The resulting
reputational impact can be significant, including lost customers and contracts,
reduced share prices and loss of competitive edge. On top of that, as Richard
Watson from Ernst & Young points out, “security is also about maintaining the
continuity of business operations – and not only about the security of data
and privacy”.6
Business disruption as a result of a cyber attack or data breach (the top threat
according to the BCI Horizon Scan Report 20197) affects the whole organisation, and
could even threaten its existence.
IT GOVERNANCE GREEN PAPER | FEBRUARY 2019
Technology and business
Susan Story, president and CEO of American Water, says8:
In the old days, you had business and then you laid technology on top of it [...]
Today, business is technology and everything we do has technology threaded
through it. How you most effectively and efficiently do that is what distinguishes
companies that are digitally transformed from those companies that aren’t.
This is not limited to reliance on websites and the Cloud, but extends into
recognising newer practices like data mining and AI. Technology is now integral
both to running the organisation and as part of its products and services.
Boards cannot treat IT as simply a functional or operational issue. In this information
age, an organisation’s key asset is its intellectual capital, which in turn depends
on information technology. As an asset is, by definition, something that someone
outside the organisation wants, it is also something worth protecting.
Any solutions must be proportionate to the value at risk and in line with the
organisation’s strategic and operational goals. As such, information and cyber
security decisions should be made by the board, not the IT department alone.
Companies Act 2006 and SOX
In addition to sensible practice, under Section 172(1) of the UK’s Companies Act
2006, directors must consider “the likely consequences of any decision in the long
term”, and “the desirability of the company maintaining a reputation for high
standards of business conduct”. Given the potential impact that security incidents
can have on an organisation and its customers, failure to take an active interest
in information security provisions could constitute a breach of a director’s
statutory duties.
Similarly, for any company publicly listed in the US (whether based in the US or
not), the Sarbanes–Oxley Act of 2002 (SOX) requires management to certify the
company’s financial reports, and both management and an independent accountant
are required to certify the company’s internal controls. In almost every organisation,
3
financial reporting depends on the IT infrastructure. Unless appropriate internal
controls are built into this infrastructure, management will not be able to make the
required certification.
Although the Companies Act 2006 and SOX are UK and US laws respectively, such
requirements are increasingly common around the world – almost every organisation
(and director) needs to consider and meet them.
Legal and regulatory requirements
Company laws are not the only legal requirements directors should concern
themselves with. There are also a wide range of cyber security and data protection
laws to comply with around the world, including the GDPR, the UK’s Network and
Information Systems (NIS) Regulations 2018, New York’s Cybersecurity Regulation
(23 NYCRR 500) and Singapore’s Personal Data Protection Act 2012 (PDPA).
The penalties for non-compliance can be severe. The GDPR in particular has
attracted attention because of its potentially heavy fines – anything up to €20 million
(about £17.5 million) or 4% of global annual turnover, whichever is greater, and such
fines are likely to result in a great deal of negative press. In addition, the Regulation
demands data protection officers (DPOs) – an important role that is mandated by
the GDPR for certain organisations – report to the “highest management level”.
Finally, a Ponemon Institute study showed that the costs of non-compliance –
including fines and settlement costs, but also business disruption, productivity
losses and lost revenue – are on average 2.71 times the cost of compliance.9
Top-down approach
Good practice demands that information security rests on three ‘pillars’: people,
processes and technology. Naturally, solid and up-to-date technological measures
are vital to security – but for IT to successfully implement them, the board must
first provide the necessary resources. Moreover, people and processes – major
underlying causes of security incidents10 – require significant board attention if
training is to be taken seriously, and policies and procedures are to be enforced.
IT GOVERNANCE GREEN PAPER | FEBRUARY 2019
Consider, for instance, the data breach Heathrow Airport suffered in October 2017.
On the face of it, the airport was fined £120,000 for losing a USB stick11 – a scenario,
you might argue, that could happen to anyone.
However, the follow-up investigation by the Information Commissioner’s Office
(ICO), the UK’s supervisory authority, found a “widespread use of removable media
in contravention of [Heathrow’s] own policies and guidance” as well as “ineffective
controls preventing personal data from being downloaded onto unauthorised or
unencrypted media”. In addition, just 2% of all staff had received any information
security training.12
In other words, the problem was not primarily the loss of a single USB stick, but
how widely removable media was used and, worse still, how it was relatively easy to
download sensitive information onto such media. All of this suggests a lip-service
approach to security: a policy is barely as good as the paper it is written on if it
meets requirements but is unenforced and not supported by appropriate training. A
preventable data breach was only a matter of time.
Looking deeper still, all of these problems point to the same thing: a lack of board
involvement. As Steve Eckersley, the ICO’s director of investigations, pointed out13:
Data Protection should have been high on Heathrow’s agenda. But our
investigation found a catalogue of shortcomings in corporate standards, training
and vision that indicated otherwise. [...]
Data protection is a boardroom issue and it is imperative that businesses have the
policies, procedures and training in place to minimise any vulnerabilities of the
personal information that has been entrusted to them.
If the board does not appear to take security seriously, employees will,
unfortunately, follow suit.
4
Reputational and business impact
The Heathrow incident received coverage in the press outside the UK, including
in France14 and Sweden15 – even when the key thing to report was a lost USB stick
containing personal data.
Many organisations lose (potential) clients in the aftermath of a breach, particularly
if that breach involved customer data. A Ponemon Institute study from 2018 shows
this to be particularly the case for US organisations, as customers tend to have
more options, making their loyalty harder to preserve: for 2017, lost business cost
an average of $4.2 million.16 Data protection is not just something demanded by
law and good practice: it is also a means of standing out from the competition
and winning customers’ trust. As KPMG points out, “CEOs whoensure their
organization’s data-handling procedures are robust will be rewarded
by consumers”.17
Moreover, being breached may never be good news, but if handled well, can
receive positive press. Consider, for example, MyHeritage, which managed a breach
well and was rewarded with the headline “This Company Was the Latest to Suffer a
Data Breach. Its Reaction Was Perfect”,18 or the pre-GDPR “Under Armour praised
for breach response”.19
Management system solutions
Cyber security is a system of defences designed to protect information and
information systems in the interconnected world. Naturally, we strongly recommend
you put such defences in place, appropriate to the risks you face, but you should
also consider implementing business continuity measures.
Business continuity management helps organisations continue to operate during
business disruption and recover to normal functionality as quickly as possible.
As security incidents are now a matter of when, rather than if, cyber resilience –
covering both cyber security and business continuity – is becoming an increasingly
important competence.
IT GOVERNANCE GREEN PAPER | FEBRUARY 2019 5

We believe that the best approach to cyber resilience is to implement two
management systems: one addressing information security, and the other business
continuity. As management systems are a top-down process of managing risks,
this approach helps ensure that the board has oversight of both matters. This
contributes to protecting the organisation, but also helps directors meet their
statutory duties.
ISO 27001 – information security
Common features
ncus ultrices. Duis feugiat a tortor in consectetur. Nam sagittis me
Your organisation can seek independent, accredited certification against both ISO
27001 and ISO 22301. Certification is awarded on the basis of a third-party audit.
This confirms your compliance, saving your customers (and other stakeholders) from
having to conduct their own audits or go through a rigorous process of setting out
complex contractual terms. This could then lead to increased trust and
new opportunities.

For information to be useful to an organisation, it must preserve three
characteristics:
1. Confidentiality: inaccessible and not disclosed to unauthorised persons,
including competitors and cyber criminals.
2. Integrity: accurate and complete (in other words, reliable).
3. Availability: accessible and usable on demand by authorised persons.
ISO standards are supported by a range of other publications that provide best-
practice guidance on finer points or specific needs. Drawing on these can extend
and improve your management systems to help you meet a larger range of
requirements and prerequisites, which could ultimately turn into new
business opportunities.

All three are addressed in an information security management system (ISMS) that
complies with ISO/IEC 27001:2013, the international standard for information
security management. An ISMS is a systematic, documented approach to managing
confidential or sensitive company information so that it remains secure.

Besides dictating best practice for an ISMS, ISO 27001 may also be used as the
basis for supplier information security audits and supply chain assurance, and as a
common reference point for laws and regulations that touch on information security.
Speak to an expert
ISO 22301 – business continuity

The international standard for business continuity management is ISO 22301:2012.

This standard provides the specification for a business continuity management
system (BCMS) that helps the organisation manage continuity of services through
processes such as risk assessment and business impact analysis (BIA).

ISO 22301 and ISO 27001 follow a common structure, including internal audit,
monitoring processes and management review. Both standards also require
engagement from the top of the organisation.
IT GOVERNANCE GREEN PAPER | FEBRUARY 2019 6

Useful cyber security resources Cyber Incident Response Management

IT Governance offers a unique range of cyber security products and services, Identify, detect and contain cyber security incidents faster by
including books, standards, pocket guides, training courses and professional deploying a cyber incident response management programme
consultancy services. based on best-practice incident response frameworks.

Consultancy PCI DSS consultancy

ISO 27001 consultancy

Drawing on our unique blend of practical information security know-
how and proven management system consultancy expertise, we can
help you implement an ISO 27001-compliant ISMS with ease.
Our Qualified Security Assessors (QSAs) provide experience
and practical advice to help you improve your current security
programme and meet the requirements of the Payment Card
Industry Data Security Standard (PCI DSS).

ISO 27001 Live Online Consultancy Testing and audits

Provides quick, expert online consultancy support on specific issues
ISO 27001 Gap Analysis
whenever you need guidance with your ISO 27001 implementation.

Cyber Health Check Get a true picture of your ISO 27001 compliance gaps, and receive
expert advice on how to scope your project and establish your
Assess your cyber risk exposure and identify a practical route to project resource requirements.
minimise your risks with our three-phase cyber health check.
Penetration testing
Cyber Security as a Service (CSaaS)
Our penetration testing process involves assessing your chosen
Backed by years of cyber security experience and a deep
systems for any potential weaknesses that could result from poor or
understanding of the challenges organisations face, our experts can
improper system configurations, known and unknown hardware or
transform your organisation from ‘unsure’ to ‘cyber secure
software flaws, and operational weaknesses in process or technical
and resilient’.
countermeasures.
Cyber Essentials

This world-leading scheme is a cost-effective assurance mechanism

for organisations of all sizes to help demonstrate to customers and
other stakeholders that the most important cyber security controls
have been implemented.
IT GOVERNANCE GREEN PAPER | FEBRUARY 2019 7

GDPR Audit Service vsRisk Cloud

vsRisk Cloud is a Cloud-based tool for conducting an information

Get independent, professional assurance that your data protection
programme and practices comply with the GDPR and UK’s Data
Protection Act 2018 (DPA).
security risk assessment aligned with ISO 27001. It is designed to
streamline the process and produce accurate, auditable and hassle-
free risk assessments year after year.

Training and staff awareness Compliance Manager

ISO 27001 Certified ISMS Foundation Training Course
Take the first steps towards building a career in ISO 27001 with
this introductory course on the key elements required to achieve
compliance with the Standard.
Save time, hassle and expenses with Compliance Manager when
finding applicable laws to cover in your information security risk
assessment.

Managing Cyber Security Risk Training Course

This practical course helps practitioners formulate plans and

strategies to improve cyber security risk management in their
organisations.

Information Security and Cyber Security Staff Awareness

E-Learning Course

This course teaches staff the basics of data security, information and
cyber security risks, and dealing with threats.

Tools

ISO 27001 ISMS Documentation Toolkit

Accelerate your ISO 27001 project with this bestselling toolkit, used
by more than 2,000 organisations, which includes documentation
templates, easy-to-use dashboards, gap analysis tools, and direction
and guidance from expert ISO 27001 practitioners.
IT GOVERNANCE GREEN PAPER | FEBRUARY 2019 8

IT Governance solutions
IT Governance writes and publishes extensively on cyber security and IT
Training
governance, risk management and compliance (GRC) subjects, and has developed a
range of tools for IT governance, information security and regulatory
We offer training courses from staff awareness and foundation courses, through
compliance practitioners.
to advanced programmes for IT practitioners and certified lead implementers and
auditors.
IT Governance is your one-stop shop for corporate and IT governance information,
books, tools, training and consultancy. Our products and services are designed
Our training team organises and runs in-house and public training courses all year
to work harmoniously together so you can benefit from them individually or use
round, as well as Live Online and distance-learning courses, covering a growing
different elements to build something bigger and better.
number of IT GRC topics.

Books Visit www.itgovernance.co.uk/training for more information.

We sell sought-after publications covering all areas of corporate and IT governance.

Consultancy
Our publishing team also manages a growing collection of titles that provide
practical advice for staff taking part in IT governance projects, suitable for all levels
We are an acknowledged world leader in our field. Our experienced consultants,
of staff knowledge, responsibility and experience.
with multi-sector and multi-standard knowledge and experience, can help you
accelerate your IT GRC projects.
Visit www.itgovernance.co.uk/shop/category/itgp-books to view our full catalogue.
Visit www.itgovernance.co.uk/consulting for more information.
Toolkits
Software
Our unique documentation toolkits are designed to help organisations adapt quickly
and adopt best practice using customisable template policies, procedures, forms
Our industry-leading software tools, developed with your needs and requirements in
and records.
mind, make information security risk management straightforward and affordable for
all, enabling organisations worldwide to be ISO 27001-compliant.
Visit https://www.itgovernance.co.uk/shop/category/itgp-toolkits to view and trial
our toolkits.
Visit www.itgovernance.co.uk/software for more information.
 United Kingdom
Unit 3, Clive Court, Bartholomew’s Walk t: +44 (0)333 800 7000
Cambridgeshire Business Park, Ely e: servicecentre@itgovernance.co.uk
Cambs., CB7 4EA, United Kingdom w: www.itgovernance.co.uk

@ITGovernance /it-governance /ITGovernanceLtd

Europe USA Gulf Asia

t: 00 800 48 484 484 t: +1 877 317 3454 t: +971 (0) 45 86 9178 t: 00 800 48 484 484
e: servicecentre@itgovernance.eu e: servicecenter@itgovernanceusa.com e: servicecentre@itgovernancegulf.com e: servicecentre@itgovernance.asia
w: www.itgovernance.eu w: www.itgovernanceusa.com w: www.itgovernancegulf.com w: www.itgovernance.asia

@ITGovernanceEU @ITG_USA @ITG_gulf @ITGovernance

/it-governance-europe-ltd /it-governance-usa-inc /it-governance-gulf /it-governance

/ITGovernanceEU /ITGovernanceUSA /ITGovernanceGulf /ITGovernanceLtd

© 2003–2019 IT Governance Ltd | Acknowledgement of Copyrights | IT Governance Trademark Ownership Notification

Endnotes

1
Quote by Ali Ahmed Al-Kuwari, CEO of QNB Group, the largest financial institution in the EMEA region. Taken from: KPMG International, “Growing pains: 2018 Global
CEO Outlook”, May 2018, https://home.kpmg.com/qm/en/home/insights/2018/05/growing-pains-2018-global-ceo-outlook.
2
PwC, “Strengthening digital society against cyber shocks”, October 2017, https://www.pwc.com/us/en/services/consulting/cybersecurity/library/information-security-
survey/strengthening-digital-society-against-cyber-shocks.html.
3
Ernst & Young, “Is cybersecurity about more than protection?”, October 2018, https://www.ey.com/en_gl/advisory/global-information-security-survey-2018-2019.
4
Gartner, “Gartner Survey Reveals That CEO Priorities Are Shifting to Embrace Digital Business”, May 2018, https://www.gartner.com/en/newsroom/press-releases/2018-
05-01-gartner-survey-reveals-that-ceo-priorities-are-shifting-to-embrace-digital-business.
5
“Growing pains – 2018 Global CEO Outlook”.
6
“Is cybersecurity about more than protection?”.
7
BSI, “BCI Horizon Scan Report 2019”, https://www.bsigroup.com/en-GB/iso-22301-business-continuity/bci-horizon-scan-report-2019/.
8
“Growing pains – 2018 Global CEO Outlook”.
9
Ponemon Institute, “The True Cost of Compliance with Data Protection Regulations”, December 2017, https://www.globalscape.com/resources/whitepapers/data-
protection-regulations-study.
10
For instance, Ponemon Institute’s Cost of a Data Breach Study 2018 shows that 52% of all breaches are caused by human error or system glitches (including business
process failures), while the IBM X-Force Threat Intelligence Index 2018 shows that misconfigured Cloud servers and networked backup incidents unintentionally exposed
more than two-thirds of total records compromised in 2017.
11
Note that, at the time, the UK’s Data Protection Act 1998 was still in force, under which the maximum fine was £500,000. Had the fine been levied under the GDPR, the
penalty would likely have been much higher than £120,000.
12
ICO, “Heathrow Airport Limited fined £120,000 for serious failings in its data protection practices”, October 2018, https://ico.org.uk/about-the-ico/news-and-events/
news-and-blogs/2018/10/heathrow-airport-limited-fined-120-000-for-serious-failings-in-its-data-protection-practices/.
13
Ibid.
14
Le Figaro, “Aéroport d’Heathrow: enquête après une faille dans la sécurité”, October 2017, http://www.lefigaro.fr/flash-eco/2017/10/29/97002-
20171029FILWWW00035-aeroport-d-heathrow-enquete-apres-une-faille-dans-la-securite.php.
15
Dagens Nyheter, “Topphemlig information tappades på gata – hittades av arbetslös”, October 2017, https://www.dn.se/nyheter/varlden/topphemlig-information-
tappades-pa-gata-hittades-av-arbetslos/.
16
Ponemon Institute, “2018 Cost of a Data Breach Study”, July 2018, https://www.ibm.com/security/data-breach.
17
“Growing pains – 2018 Global CEO Outlook”.
18
Adam Levin, “This Company Was the Latest to Suffer a Data Breach. Its Reaction Was Perfect”, Inc., June 2018, https://www.inc.com/adam-levin/this-company-was-
latest-to-suffer-a-data-breach-its-reaction-was-perfect.html.
19
IAPP, “Under Armour praised for breach response”, April 2018, https://iapp.org/news/a/under-armour-receives-praise-for-myfitnesspal-breach-response/.