Governing cybersecurity requires understanding your enterprise's digital systems

 

Article | September 19, 2024


 

Digital systems are foundational in today’s business environment and can provide competitive advantages when properly used. However, their failure can also damage companies and disrupt society. Digital system complexity and related cybersecurity challenges are only growing with the addition of artificial intelligence (AI) to the business landscape. Digital systems are here to stay, and they are challenging for boards and management teams to govern and manage.

Taking on these challenges begins with the board and management team developing a shared understanding of the systems that make up every enterprise. The “enterprise as a system” (EAS) consists of the web of components necessary for a business to function: information technology tools (applications, servers, databases, hosted solutions); physical elements; and the people who utilize them. Boards and management teams need a business-level understanding, not technical knowledge, of how these systems work and interact across the enterprise, achievable through three essential actions:

1) Organize the board and management team for optimal governance and management.

2) Educate the board, management and employees about the EAS and its related cyber risk.

3) Foster a culture in which all stakeholders share responsibility for cybersecurity.

This is the second of four articles that explore each of these elements and how they work in concert to align board directors and managers on addressing digital risks to their business. The “organize” element was addressed in a previous article: Governing cybersecurity means revamping your organization and processes. This article addresses the “education” element.

EAS ‘education’: Contextualizing digital risk as a systemic risk

Typical cybersecurity reporting to the board and C-suite deals with areas such as compliance, penetration testing, heat maps and dashboards. Although impressive and important, this information can be overly technical and lack context—providing it to board members is like showing them the instruments in the cockpit of a jumbo jet and then asking them to strap in and fly.

Ultimately, important cybersecurity indicators without context have limited value for board governance. In addition, cybersecurity management teams often lack the enterprise-wide perspective of experienced board members, a perspective important for dealing with enterprise-wide risk.

For these reasons, boards and management teams must meet in the middle to develop a shared understanding of the systemic risk that digital risk poses to the enterprise.

Key actions for boards

Bringing it together

Understanding how digital systems work and interact is table stakes for effectively governing and managing in today’s business environment. The steps outlined in this article prepare boards and management teams to take advantage of evolving complex digital systems, including AI, while minimizing their risk. Investing the time and resources to educate boards and management teams will result in more resilient enterprises, reduce incident recovery time and optimize cybersecurity spend. Together the “organize” and “education” elements of the EAS set the stage for developing a cybersecurity culture where all stakeholders feel responsibility for protecting the enterprise against cyberattacks. There are no check-the-box solutions for digital risk.


 


This article was written by Rod Hackman, Robert Snodgrass and originally appeared on 2024-09-19. Reprinted with permission from RSM US LLP.
© 2024 RSM US LLP. All rights reserved. https://rsmus.com/insights/services/risk-fraud-cybersecurity/governing-cybersecurity-understanding-your-digital-systems.html

RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent assurance, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/about for more information regarding RSM US LLP and RSM International.