So, what is changing?
The emphasis is now on not only diligently protecting your business and its data and systems, but also ensuring you have in place cybersecurity governance to specify an accountability framework, provide oversight of potential risks, and implement controls to ensure mitigation.
In simple terms, governance is the process of overseeing the cybersecurity teams tasked with mitigating business risks and ensuring that all organisational objectives and standards are met.
The National Institute for Standards and Technology (NIST) Cybersecurity Framework has long advocated five longstanding functions for an effective cybersecurity program: Identify, protect, detect, respond, and recover. In its first update in a decade, the NIST list has grown to six with the important addition of govern.
Governance (and the associated reporting) is also on the mind of the Australian Government as it looks to international standards and frameworks like NIST and ISO 27001 as best practice for businesses and organisations of all sizes.
Failure to take the necessary steps to include governance in your cybersecurity strategy will undoubtedly attract negative attention and penalties from customers, stakeholders and legislators alike should you experience a data breach.