Implementing, Executing, Monitoring, IT, Data and Cyber-Security Role, Responsibility, Accountability, Liability and Assessment

The responsibilities, accountability and the tasks of the Board of Directors and senior/executive management of both listed and privately owned and public companies has grown significantly. The primary focus of the Board is on the vision and strategy related to GHDPR, IT- and Cybersecurity, IT Governance, Risk Management, Compliance, (GRC) mergers and acquisitions and related issues. However, it is essential that the Board and management is also qualified and understands the problems related to and behind data and IT in general and Data Protection, Data Privacy and IT and Cybersecurity in general.

Accountability and IT Governance

In the past data privacy and data protection issues were under the umbrella of the general Compliance mandate; however, with the introduction of EUGDPR, these areas are now taken away from GRC scope. They are now independent areas of the Board and senior management responsibility as well as accountability.

This means that the Board of Directors and senior management must take responsibility for complying with the GDPR components of Data Protection, Data Privacy and IT and Cybersecurity, throughout the organisation and can document GDPR compliance. Therefore the Board of Directors and senior management must ensure that appropriate technical and organisational measures are in place to meet the requirements of accountability;

The principle of accountability is valid both for small, Medium and especially the large companies, institutions, public and state-owned as well as in all private organisations.

• The Board must be (pro)active and come closer to the Data Protection, Data Privacy and IT and Cybersecurity issues in the company, under the interests of the stakeholders and the development of IT Governance.
• The Board must ensure that the composition and evaluation of the Board and the relevant committee committees have the competencies, experience and expertise to take the lead on IT and Cyber-Security issues
• The Board must be able to use the Data Protection, Data Privacy and IT and Cybersecurity compliance to create culture, competitive advantage, and work towards value creation and competencies for the benefit all stakeholders and society.

IT Security and Governance is as a field in significant development and includes topics such as:

• Role and tasks of the Board concerning the IT and Cyber Strategy, recruitment and dismissal of skilled IT staff
• The Board of Directors interaction with the management on IT-, Cybersecurity, Data Protection, Data Privacy issues.
• The Board and senior management competence development, training and awareness on IT-, Cybersecurity, Data Protection, Data Privacy issues.
• Devote adequate time to develop forward-looking Strategies on IT-, Cybersecurity, Data Protection, Data Privacy issues.
• Developing value-creating relationships in a closer dialogue with third parties concerning IT-, Cybersecurity, Data Protection, Data Privacy issues compliance
• Encourage an IT and Cybersecurity platform learning which is based on experience from practice and research-based knowledge.

Value creation has become an overarching benchmark for Board of directors and senior management efforts and is reflected in the prioritisation of board work. We conclude this blog by reemphasising two areas that that Board of directors and senior management can take charge and ensure that:

 Lead the development of data protection, privacy, IT and cybersecurity policies. Business leaders and technical staff should collaborate on policy development and ensure systems are well understood by the all stakeholders in the organisation.

Review all current cybersecurity and risk policies to identify gaps or weaknesses by comparing them against recognised or own cyber risk management frameworks. Develop a policy roadmap, prioritising policy creation and updates based on the risk to the organisation as determined by business leaders and technical staff.

Investment in essential IT Platforms and cybersecurity. Invest in IT platforms and cybersecurity capabilities for your organisation and staff. This includes not only investments in technological capabilities, but also continuous investment in cybersecurity training and awareness capabilities for your organisation’s personnel. Use the Cyber Essentials to have conversations with your staff, business partners, vendors, managed service providers, and others within your supply chain.

Use risk assessments to identify and prioritise the allocation of resources and cyber investment.