Concerns related to cyberattacks are wide-ranging, with impact on organizations’ reputations, the possibility of physical/financial harm and supply chain disruptions causing the most unease, according to ISACA’s recently released State of Cybersecurity 2021 report.
Not only is ISACA addressing these challenges by training and upskilling the cybersecurity workforce, but ISACA also is making a significant push on the advocacy front. Specifically in the United Kingdom, since 2019, ISACA has been working closely with the UK Government’s Department for Digital, Culture, Media and Sport (DCMS) on their wide-ranging review into Cyber Security Incentives and Regulations to explore ongoing barriers to organizations taking effective action to manage cyber risks.
ISACA Global Government Relations and Public Affairs, with the expertise of ISACA UK volunteers, has acted as a trusted and expert advisor throughout the process, particularly on issues relating to cyber management in supply chains and on cyber standards and frameworks. ISACA has conducted numerous one-on-one meetings with the DCMS team leading the review and submitted detailed responses to the UK government during various stages of consultation.
ISACA has been pleased to co-host three roundtables with the UK Government as part of the review, acting as a convenor of industry experts to support the policy development process. ISACA brought together a range of large and small organizations from different sectors, including financial services, defense, and cybersecurity. The professionals shared views on best practices, the barriers to organizations effectively managing cyber risk, and provided feedback on proposed government interventions.
Contributing to the review process also presented a significant opportunity for ISACA to further the case for IT audit and the introduction of a Sarbanes-Oxley Act type of regulation in the UK, as audit and corporate governance reforms have been simultaneously taking place in other governmental departments. ISACA has been pleased to see the DCMS recognize that these reforms could serve as a regulatory lever through which to drive improved cyber risk management and business resilience across the UK. ISACA also has been making direct representations and providing evidence to the Business Department, which is leading on audit reforms in the UK.
ISACA’s roundtables with government have covered two main themes: managing cyber security in supply chains and cyber resilience standards, frameworks and metrics. The method of engaging with decision-makers has also been replicated in work with the Information Commissioner’s Office (the UK privacy and information rights regulator) holding a focus group with ISACA chapter members on its new AI Audit framework.
Supply Chain Cyber Security
ISACA has partnered with DCMS to convene two roundtables on supply chain cybersecurity. The first advised the UK Government on the barriers to effective supply chain cyber risk management and proposed solutions. This was an area where the review team lacked expertise. DCMS then published a Call for Evidence with proposals to manage supply chain cyber risk and the particular challenges faced by managed service providers, and invited ISACA to co-host a roundtable to discuss the proposals.
ISACA hosted this important discussion that covered various barriers to improved supply chain cyber resilience: low recognition of cyber threats, limited visibility into supplier risk, insufficient expertise to evaluate risk, a complex standards environment, and structural imbalances between large suppliers and small organizations, with little leverage to ask suppliers to enhance security measures.
ISACA members residing throughout the UK and other industry colleagues provided expertise on the importance of cyber management being built into corporate governance, the adequacy of current standards and guidance for organizations of different sizes and from different sectors, as well as how standards can be embedded into procurement processes. The discussion also highlighted the challenges in effectively managing digital supply chains on a global scale without internationally set standards.
Cyber Resilience Standards, Frameworks and Metrics
The need for mandatory standards for cyber maturity assessmentsand cyber metrics was a prominent feature of both roundtables on supply chain cyber management. Given that, ISACA worked with the UK Government to run a third roundtable on the wider challenges that remain in incentivizing organizations to adopt cyber resilience standards, frameworks and metrics.
The UK Government’s objective was to develop policy to ensure that organizations are able to assess their risk and understand what controls or measures should be implemented. Another goal is to develop a return-on-investment case and, as such, invest wisely in cybersecurity measures. Finally, the UK aims to give other interested partners (i.e. investors, shareholders, procurers) greater confidence that organizations are effectively managing their cyber risk.
ISACA representatives and other experts shared their views on many subjects, including the applicability and relevance of existing standards and frameworks, executive and board-level cyber fluency, optimal ways of implementing standards and frameworks, developing governance and audit regimes, and embedding cyber within broader organizational risk culture to be effective. ISACA was able to explain how tools such as CMMI and maturity assessments, as well as the use of certifications and learning tools, can add to cyber resilience, as well as provide international evidence of their efficacy.
Next Steps
The UK Government will soon be publishing its conclusions in a paper entitled “The Business Resilience and Cyber Security Review,” outlining their policy direction. This will be followed by a new UK National Cyber Strategy by the end of the year.
ISACA will continue to work closely with the UK Government to make the case that the following measures should be implemented to drive improved cybersecurity behaviors and organizational resilience:
- As part of reforms to the future of audit, the Government must mandate that future financial audit and corporate governance regimes include reporting on IT and cyber risk management processes and controls.
- The Government must require organizations to undertake cyber maturity assessments and set robust minimum standards that these assessments must meet across pre-determined metric indices and themes, which can be built into procurement processes.
- The Government must update and strengthen cyber security guidance to be sector and organization size specific, and create a one-stop-shop for businesses to access clear best practice guidelines and reference points on how to improve their cyber risk management.
For further information on ISACA’s work with the UK Government, please contact Emily Bastedo, Director of Global Government Relations and Public Affairs at ISACA, at ebastedo@isaca.org.