The Tribune

By DEREK SMITH

There are arguably two key problems encountered with cyber security governance - the misrepresentation of cyber security risks at executive and Board levels, and the under-representation of women in the industry. Yet the pressure to secure businesses against cyber-related incidents and, more importantly, cyber breaches is immense.

It is critical that your company's approach to cyber security risks is thorough and representative of today’s challenges, while anticipating tomorrow’s needs. One of the key obligations for a risk and compliance professional is to ensure that a firm's objectives and cyber security framework are aligned, and take into consideration the local and international laws governing their industry. These factors may be disconnected due to misconceptions.

Elena Kvochko, a contributing writer at Forbes, in her article How to make cyber security more approachable, wrote: “Security knowledge can make or break a career. While industries have evolved from awareness to implementation and specific guidelines, there are still a lot of misconceptions. Not understanding the inner workings of technology is no longer an option for executives.”

One such misconception is that information technology (IT) is synonymous with cyber security. Their priorities, skills required and responsibilities are different, and many times compete. IT is concerned with the functionality of hardware, software and the network. Conversely, cyber security addresses the security of digital information. IT establishes controls versus monitoring of the controls to ensure they work as intended by cyber security. IT training is centred around new hardware, software and solutions, while cyber security training encompasses staying up-to-date on new threats, developments and risks that are constantly emerging.

Such misconceptions in practice can inadvertently cause issues because the incorrect role, or person, may have a seat in the boardroom. Here is why:

Corporate Governance

Without understanding the components of governance, corporate structures may be built with flaws. The compliance professional must assess the corporate landscape and provide, through Board and management training, the need for segregation between IT and cyber security responsibilities. Information technology/systems governance is the responsibility of the chief information officer (CIO), who is sometimes called the IT director or head of IT.

Some companies even go to the length of splitting the role of CIO from that of chief technology officer (CTO). On the contrary, information security (InfoSec) governance is the responsibility of the chief information security officer (CISO). If your CISO reports to your CIO or CTO, you may have a problem. If you are Board member and you have just identified that you have a structural problem, now is always the best time to correct it.

Under-representation of women in the industry

Statistics from gender gaps in employment, produced by Poster in 2018, show that women account for less than 20 percent of all cyber security professionals worldwide. This is an unacceptable statistic in one of the world’s top careers in 2020.

The misconception that technology is a masculine career is outdated., and this image must change. Addressing this disparity of women versus men within the cyber security space will assist with reducing the projected skills gap within the industry. “It is estimated that the number of unfilled cyber security positions will grow to a staggering 3.5 million by 2021”, said Sarah Hospelhorn in her Varonis.com article on May 20, 2020.

In conclusion, as Cyber security Month continues, it is imperative that the gap in gender representation in the field is reduced by conscious efforts from Boards and management leaders to proactively recruit, train and promote women in the cyber security workforce. Moreover, clarity must be achieved at Board of Director and executive levels for the inclusion of the CISO - separate and apart from the CIO - at executive levels or the incidents and breaches will continue to rise.

NB: Derek Smith Jr is a compliance officer at a leading law firm in The Bahamas, and a former assistant vice-president, compliance and money laundering reporting officer (MLRO), at local private bank. His professional career started at a ‘Big Four’ accounting firm and has spanned over 15 years, including business risk management, compliance, internal audit, external audit and other accounting services. He is also a CAMS member of the Association of Certified Anti-Money Laundering Specialists (ACAMS).