Cyber Risk Governance Tackles Root Causes, Not Symptoms

by | May 23, 2017

In just over one week, WannaCry has wormed its way through hundreds of thousands of networks across around 100 countries. Countless articles have been published in hopes to help businesses solve their ransomware issues—or prevent being infected themselves. Most articles involved updating operating systems with the latest patches. Others naively suggested anti-phishing training for employees, but WannaCry is a form of malware called a worm that replicates itself without the need for human intervention.

Deciding on a strategy to protect your organization is like choosing a good doctor. For good health, should you choose a doctor who is good at writing prescriptions to treat your symptoms, or would you be better off finding a good diagnostician who identifies and treats root causes?

When a high-profile breach occurs, too often we search for a quick fix, either in the form of advanced technology that provides protection against the threat, or a single step (e.g., training) to close the chink in our armor where the breach was identified. Applying a quick fix is like treating a symptom: it may be necessary to address the immediate problem, but it doesn’t provide a long-term answer.

According to the Department of Homeland Security, as many as 85% of targeted cyberattacks are preventable through basic risk-mitigation measures.

Surprisingly, 80% of breaches are due to breakdowns in policy and procedures, not technology. A more astute approach to cybersecurity requires taking a broad view of the people, processes, and policies that support good cyber hygiene. Continuing the medical analogy, it’s the equivalent of implementing regular physicals and a wellness plan instead of waiting for symptoms to appear and then going to the emergency room.

Addressing cybersecurity requires a cultural shift throughout the organization, not just from IT and security staff, but from top leadership and across the enterprise. The NIST Cyber Security Framework has become the de facto framework for managing cyber risk organization-wide. It enables assessment and frames guidance in non-technical terms that enable all key stakeholders to understand their role in managing and mitigating the risk that breaches and hacking represent.

What are examples of tackling the root cause rather than attacking symptoms?

Cyber Risk Governance (CRG): Policies, processes, and mechanisms enabling non-technical corporate directors, internal auditors, general counsel, and chief risk officers to maintain insight into and exert control over an enterprise’s level of protection against cybercrime.

Issue Tackle a Symptom Tackle the Root Cause
Malware Patch the OS Review all threat and vulnerability management activities periodically to ensure conformance with policies.
Phishing Train employees Include training in onboarding new employees and conduct regular testing of employees’ susceptibility to the latest phishing appeals.
Ability to respond Create incident response plan Establish and maintain relationship with incident response vendor that maintains constant capacity to carry out your response plan.
Cyber Risk Governance Train members to understand cyber risk Make cybersecurity a team sport by involving key stakeholders (board, internal auditors, general counsel, risk management) using NIST CSF as a foundation and common language.


Don’t just patch your operating systems. Go beyond to establish a process for regularly monitoring the patches taking place across the enterprise.


Add a process to regularly train new and existing employees on cyber awareness. The next big breach might be different, and every organization should be testing its employees regularly to see if they’re resistant to the most current phishing appeals that have evolved.

Ability to Respond

Developing an incident response plan is vital; developing a partnership with an incident response vendor that maintains constant capacity to instantly implement your response plan will amplify its effectiveness.

Cyber Risk Governance

Excellent board training from organizations like Ridge Global and NACD is available now. Increasing board understanding of basic cybersecurity principles is important, but the overriding goal of governance is to engage all key stakeholders in cybersecurity, including general counsel, internal auditors, risk management, human resources, and procurement, as well as the security and IT functions.

Economic analyses of healthcare practices suggest that far better health outcomes result when a systematic wellness plan is followed. Likewise, practicing effective cyber risk governance greatly minimizes the likelihood that cyber breaches will cause catastrophic results.

Be notified of new Journal entries in your email box or Follow us on Twitter.