Demonstration of commitment and support is needed for all cyber resilience policy and governance considerations. This must come from the person who holds the responsibility, the CEO.
Policy and business activity must provide the way to articulate cyber security/resilience considerations so the CEO can make informed decisions. All activities must be in support of business objectives valuable to current and potential customers. There must be a continual improvement life-cycle associated with all activities.
Cyber Resilience Policy Considerations
- What are the high level objectives of cyber resilience within the organization?
- What is the right balance between prevent, detect and correct for this organization?
- What are the most important strategic assets of the organization?
What is the value to all stakeholders including customers and partners, and regulatory? Define value.
- How should organizational assets be classified, and who should do this?
What is the willingness to accept, avoid, transfer, and or share each risk? How is it articulated?
- What are the high-level security responsibilities of each group or team within the organization?
- How should risks be assessed and managed, and who should be doing this?
- How is change managed?
People tasked with managing change must have clout to make change. Business and IT controls to make sure resilience is considered and required for every request for change. This is tough in the Telecom industry because they see themselves as technology companies. Their real business is to facilitate communication. The industry needs to recognize Business and IT as collaborative partners. The industry cannot rely on technology and must recognize the important role of people. Cyber resilience policy must lead this.
- What is the right education needed to keep employees, partners, and customers aware of current and evolving threats?
Putting on the CEO Hat:
- I don’t get it. It’s complex.
- I hate not getting this.
- Simplify this complexity to support conversations between me and the CISO and CRMO
- My attention span is short. Get points across in 30 seconds.