Cybersecurity governance: Thinking global, acting local

Companies with extensive operations worldwide must apply a global perspective to cybersecurity governance, while at the same time ensuring that risks at a regional level are not overlooked. For a global organisation, regional considerations can make enforcing consistent standards a challenge as operations in different geographies often use different carriers and suppliers, or different policies and redundancy systems. If a British organisation has operations in Colombia, for example, and the Colombia operation employs a third-party provider, there may be uncertainty as to whether the provider has been vetted and operates at the standards enforced in Britain.

Cloud and cybersecurity

Cloud-based delivery can lead to further cybersecurity complications, through companies and employees unwittingly committing security breaches and regulatory non-compliance. In the US, for example, the International Traffic in Arms Regulation (ITAR) prohibit companies and individuals from importing or exporting defence-related information and materials, but when data travels through cloud-based networks, companies can unknowingly share protected information, risking national security and/or exposing themselves to heavy corporate fines.

To further complicate matters, regional and cultural factors can create different standards within the same service provider organisations. An Infrastructure-as-a-Service provider might certify a UK data centre according to ISO/IEC 27001:2005 standards in order to satisfy customer demand for that level of protection. However, the same provider might elect not to apply that rigorous a standard to a datacentre in the US. If customer data is mirrored between the UK and the US, certain customers’ control sets may not be met.

A balancing act

Most businesses today are confused as to how to best achieve a proper global/regional balance, and are torn between either taking a centralised approach or allowing each region to operate independently. While myriad models and approaches are deployed, some type of centralised global steering committee that provides one view of business operations across the world is crucial. The goal should be to collect data and enable governance at a local level, while at the same time providing continuous input and analysis of security and compliance across the global system.

Traditionally, security was viewed as a discrete tower function that focused on technical solutions such as firewalls and encryption. As security risks become increasingly varied and dispersed, this narrow approach is no longer viable. In response to a dynamic threat landscape and to changing regulatory requirements in many industries, cybersecurity strategies have evolved to be more agile and responsive and more closely integrated with enterprise governance. This enables focused attention to changes affecting local entities or individual business units, coupled with high-level oversight.

Top-performing organisations are recognising that governance structures and policies can’t be hard-wired to address static, point-in-time security threats. Concurrently, accountability for governance and cybersecurity is increasingly shared across business owners, reflecting a cultural shift towards flexibility and shared responsibility.

Peter Iannone is a Managing Director with Alsbridge