​In today’s rapidly changing cybersecurity landscape, keeping defences robust requires more than just routine checks or internal assessments. While internal cybersecurity teams and IT departments are critical to maintaining security, relying on them for audits may pose significant risks. An independent cybersecurity audit can not only uncover blind spots but also signal a commitment to comprehensive security—especially when it includes a human-centric approach.
Here's why an independent audit is crucial and how a human-centric component strengthens its value.
1.     Unbiased PerspectiveInternal teams, no matter how skilled, might unintentionally overlook certain vulnerabilities due to familiarity with existing systems and workflows. An independent audit brings a fresh set of expert eyes, capable of identifying gaps and blind spots that internal teams may miss due to over-familiarity or inherent biases.
Moreover, relying on the same cybersecurity provider to conduct the audit can lead to conflicts of interest. Providers may have incentives to downplay issues in order to avoid the appearance of inadequate service, leaving critical vulnerabilities unaddressed. An independent auditor can provide an unbiased, thorough assessment that empowers organisations to make informed decisions based on clear data, rather than relying on assurances from those with a stake in the current setup.
2.     A Comprehensive and Human-Centric ApproachToday's cybersecurity threats are multifaceted, and technology alone is not enough to ensure protection. While advanced threat detection tools and firewalls are vital, one of the most overlooked vulnerabilities in cybersecurity is the human element. Employees can unknowingly become entry points for cyber threats due to a lack of awareness, fatigue, or even simple errors.
An independent audit, especially one with a human-centric component, examines more than just technical vulnerabilities. It assesses organisational culture, user behaviours, and human factors that may impact security. For instance, it can provide insights into areas where employees may feel unsupported or overwhelmed by complex security protocols, increasing the likelihood of risky shortcuts or errors.
Through human-centric evaluations, an independent auditor can recommend training programs and technology adjustments tailored to actual user needs, fostering a culture of cybersecurity that supports and protects employees. This focus not only strengthens the company’s defences but also signals to the workforce that their well-being and job security are a priority.
3.     A Strategic Opportunity for ImprovementAn independent audit, free from internal constraints or assumptions, can deliver a strategic overview of the company’s cybersecurity posture. This includes benchmarking against industry standards, identifying both strengths and weaknesses, and providing insights into emerging threats.
When incorporating human-centric assessments, the audit can pinpoint where policies or systems may cause frustration or disengagement, areas often neglected in internal reviews. This insight can help leadership implement more user-friendly solutions, ensuring that security policies work with employees rather than against them.
4.     Promoting a Culture of Security and Trust By investing in an independent audit, organisations demonstrate their commitment to not only technical safety but also the security of their employees. An audit that includes a human-centric component validates the importance of employees' roles within the broader cybersecurity strategy, promoting a culture of accountability and shared responsibility.
This proactive approach also builds trust within the workforce and fosters collaboration between IT, HR, and other departments. When employees feel that security policies and tools have been designed with their needs in mind, they are more likely to take ownership of cybersecurity practices, reducing risk and improving overall compliance.
As cyber threats become more sophisticated, an independent cybersecurity audit—especially one with a human-centric lens—offers a unique advantage. It ensures that organisations benefit from an impartial, comprehensive evaluation while also fostering a culture that prioritizes employee security and well-being.
By embracing independent audits, leaders not only strengthen their cybersecurity defences but also reinforce trust and resilience throughout the organisation, preparing for the challenges of an increasingly digital world.

​In today’s rapidly evolving cyber threat landscape, organisations face the daunting task of securing their digital assets and ensuring business continuity. Traditionally, a Chief Information Security Officer (CISO) would be responsible for this, but in their absence, which C-suite leader should take charge of cybersecurity? The debate often focuses on the Chief Operating Officer (COO), Chief Information Officer (CIO), Chief Financial Officer (CFO), or even the Chief Human Resources Officer (CHRO).
However, cybersecurity is not merely a technical or operational issue—it is a strategic imperative that affects every aspect of the business. And ultimately, the board of directors holds overarching responsibility for ensuring that cybersecurity risks are appropriately managed.
1.     The Chief Operating Officer (COO)COOs oversee the operational continuity of the business, making them naturally attuned to the importance of integrating cybersecurity into the overall risk management framework.
Advantages:

• Operational Risk Mitigation: The COO can ensure that cybersecurity protocols are woven into business continuity and disaster recovery plans.
• Process Optimization: With their focus on efficiency, the COO can implement security measures that align with day-to-day operations.

Challenges:

• Limited Cyber Expertise: While the COO can ensure operational alignment, they may lack the technical skills required to fully understand evolving cyber threats.

2.     The Chief Information Officer (CIO)The CIO manages the company’s technology infrastructure and is typically seen as the natural choice to take over cybersecurity responsibilities.
Advantages:

• Technical Proficiency: The CIO has an in-depth understanding of the IT systems that need to be secured and is well-equipped to deploy cybersecurity solutions.
• Integration with IT Strategy: The CIO can seamlessly integrate cybersecurity into the company’s broader IT and digital transformation initiatives.

Challenges:

• Human Factor Underplayed: CIOs often focus on technological defences but may overlook the importance of human behaviour and corporate culture in preventing cyber incidents.

3.     The Chief Financial Officer (CFO)Given the significant financial consequences of a cyberattack, the CFO plays an important role in understanding the financial risks and compliance obligations associated with cybersecurity.
Advantages:

• Financial Risk Focus: CFOs excel in balancing the costs of cybersecurity investments with potential financial losses from a cyber incident.
• Regulatory Compliance: CFOs are often involved in managing compliance and ensuring that the company meets relevant cybersecurity regulations.

Challenges:

• Lack of Technical Insight: The CFO’s focus on financial metrics means they may not have the technical expertise needed to drive a robust cybersecurity program.

4.     The Chief Human Resources Officer (CHRO)In a time when human error is one of the leading causes of cyber incidents, the CHRO’s role in cybersecurity is becoming more significant.
Advantages:

• Human-Centric Approach: The CHRO understands the importance of shaping a security-conscious corporate culture, ensuring that employees are aware of their role in safeguarding the organisation.
• Employee Training and Awareness: HR can lead initiatives to train employees on cybersecurity best practices, significantly reducing the risk of human error leading to breaches.

Challenges:

• Limited Technical Capabilities: While HR is critical in managing the people side of cybersecurity, the CHRO typically lacks the technical knowledge to oversee the organisation’s full security strategy.

Cybersecurity and Corporate Culture: The Role of HRCorporate culture plays a vital role in cybersecurity. Employees are often the first line of defence, and fostering a culture where cybersecurity is a shared responsibility across the organisation is critical. HR is instrumental in shaping this culture through training, awareness, and behaviour management. When employees understand that cybersecurity is everyone’s responsibility, they become more vigilant, reducing the risk of human error.
The Board of Directors: Ultimate Responsibility for CybersecurityWhile the COO, CIO, CFO, and CHRO each bring essential perspectives to managing cybersecurity risks, ultimate responsibility does not rest solely with these senior managers. In fact, the board of directors carries the final accountability for ensuring that cybersecurity risks are effectively mitigated.
The board must not only ensure that the right cybersecurity strategies are in place but also hold senior leadership accountable for implementing and maintaining those strategies. Cybersecurity is a critical business risk, just like financial performance or legal compliance, and it should be treated with the same level of oversight. As the stewards of corporate governance, board members must ensure that cybersecurity is embedded in the organisation’s overall risk management framework, allocating the necessary resources and support to the executive team.
Conclusion: A Cross-Functional and Board-Led ApproachIn the absence of a CISO, managing cybersecurity requires a cross-functional approach that leverages the strengths of the COO, CIO, CFO, and CHRO. However, it’s not enough for these roles to operate in silos. Cybersecurity must be seen as a shared responsibility across the senior leadership team, with input from all functions to ensure that technical, operational, financial, and human risks are adequately addressed.
Yet, the ultimate responsibility for cybersecurity rests not only with senior management but with the board of directors. The board must take an active role in overseeing cybersecurity strategy, ensuring that the company is prepared to defend against evolving threats. By holding the executive team accountable and providing the necessary oversight, board members ensure that cybersecurity is treated as a core business priority, safeguarding the organisation’s long-term success in an increasingly risky digital world.
Cybersecurity is no longer a technical issue—it’s a strategic one, and it demands attention at the highest levels of leadership.

​In today’s digital economy, data is often referred to as the “new oil” — a resource that drives business innovation, customer insights, and operational efficiency. Yet, unlike oil, data isn’t a finite resource but one that continues to grow and evolve, making it both invaluable and, at times, difficult to measure. For boards and senior management, understanding how to accurately value their organisation's data is essential to making informed decisions around cybersecurity investments, data governance, and overall business strategy.
 
Here’s a comprehensive guide on how the C-suite and board members can place an accurate value on their data.
1.     Understand the Different Types of Data ValueData can have different types of value depending on how it's used, managed, and protected within the organisation. Understanding these facets is crucial for assigning an accurate value:

• Operational Value: Data that drives day-to-day business processes, such as customer records, supply chain logistics, or employee information, can be critical to maintaining business continuity. The loss of such data can disrupt operations, leading to downtime or costly inefficiencies.
• Strategic Value: Some data informs high-level business strategies and decision-making processes, like market insights, customer behaviour analytics, and future product development insights. Strategic data can be leveraged to create competitive advantages, making it highly valuable.
• Monetary Value: Data can be monetized directly or indirectly. For example, proprietary customer data can be used to create personalized marketing campaigns or sold in aggregate form to third parties, where applicable. Understanding the potential revenue data can generate is key to its valuation.
• Risk and Liability Value: The potential financial loss due to data breaches or non-compliance with data privacy regulations (e.g., GDPR, CCPA) contributes to the overall value of data. For some organisations, the fines and legal implications of mismanaging data can be staggering, increasing the need for robust cybersecurity.

2.     Quantify the Financial Impact of Data LossOne of the most tangible ways to value data is by understanding the potential cost of losing it. Senior management can quantify this by considering:

• Revenue Impact: What percentage of revenue is driven by customer data, proprietary algorithms, or intellectual property? If this data is compromised, how would that affect the bottom line?
• Operational Costs: If critical business data is inaccessible, what would be the financial impact of downtime? Consider the cost of delayed production, missed sales opportunities, and service disruptions.
• Regulatory Fines: Many industries are subject to stringent data regulations, with fines for non-compliance reaching millions of dollars. Calculate the potential exposure to regulatory penalties, legal fees, and remediation costs in the event of a data breach.
• Reputation Damage: Though harder to quantify, reputation plays a significant role in data valuation. A major data breach can erode customer trust, leading to a loss in market share and long-term financial performance. Senior management should consider the cost of public relations campaigns, customer retention efforts, and lost goodwill in the wake of a breach.

3.     Leverage Data Valuation ModelsThere are several models and frameworks that can help leadership teams place a monetary value on data. Common methodologies include:

• The Infonomics Approach*: Coined by Gartner, this approach views data as a corporate asset that can be managed and monetized. It involves classifying data as a balance sheet asset and developing strategies to maximize its return on investment (ROI).
• Cost-Based Models: These models estimate the value of data by calculating how much it would cost to replace or recreate the information in the event of loss. This is particularly useful for operational and transactional data.
• Income-Based Models: This method calculates the present and future revenue streams that are directly attributable to data-driven initiatives. It’s particularly helpful when assessing the strategic value of customer or market data.
• Market-Based Models: These methods look at the market value of similar data sets. For example, how much are third-party firms willing to pay for comparable data in the industry?

4.     Implement a Data Governance StrategyTo ensure data retains its value, it’s critical for senior management to implement strong data governance policies. These policies should address:

• Data Quality: High-quality data is essential for accurate decision-making. Data that is outdated, inconsistent, or full of errors can quickly lose its value. Regular audits and cleansing processes help maintain data integrity.
• Data Security: Ensuring that data is adequately protected from cyber threats is paramount to maintaining its value. Investing in cybersecurity measures, conducting regular cyber audits, and implementing human-centric technology solutions are critical steps.
• Data Accessibility: Data should be easily accessible to those who need it while maintaining strict control over who can access sensitive information. This balance between accessibility and security maximizes the utility of data across departments without exposing it to unnecessary risk.
• Regulatory Compliance: Staying up to date with evolving data privacy laws and ensuring compliance not only protects from fines but also builds trust with customers. Data protection regulations are rapidly changing, and strong governance ensures that your organisation remains compliant.

5.     Engage with External Auditors and Cybersecurity ExpertsThe true value of data can often be better understood with the help of third-party assessments. Independent audits that focus on data valuation, especially with cybersecurity at the forefront, can provide fresh perspectives that internal teams might overlook. A human-centric cyber audit can help organisations evaluate the impact of data loss on their workforce, processes, and customer trust, helping leadership prioritize where to focus investments.
6.     Consider the Role of AI and Machine LearningAs organisations increasingly rely on AI and machine learning to make sense of vast data sets, the value of data takes on an even greater significance. AI-driven analytics can enhance the value of data by uncovering patterns and insights that humans may miss. Senior management should consider the **future value** of data that can be leveraged for predictive analytics, customer insights, and operational efficiencies.
Valuing data is not a one-time process but an ongoing exercise that evolves as business needs and technologies change. By understanding the different types of value that data holds, leveraging established valuation models, and prioritizing data governance and security, senior management can make informed decisions that safeguard and maximize the value of this critical asset.
Ultimately, placing an accurate value on data is about balancing its potential for generating revenue with the risks of data breaches and loss. By doing so, organisations can ensure they are not only protecting their most valuable asset but also using it to drive long-term success.
​
*Infonomics is the theory, study and discipline of asserting economic significance to information. It strives to apply both economic and asset management principles and practices to the valuation, handling and deployment of information assets. 
https://www.gartner.com/en/publications/infonomics

Today cybersecurity threats are no longer just external, insider threats are increasingly becoming a critical concern for organisations. Whether driven by malicious intent or simple negligence, insider threats can cause significant financial, reputational, and operational damage. With supply chains, remote work, and digital collaboration expanding, organisations must now put stronger focus on how to mitigate risks from within their own ranks.
According to research from Gurucul — which surveyed more than 400 IT and cybersecurity professionals — organisations are seeing a rising tide when it comes to insider threats. In 2023, 60% of organisations reported insider attacks, but in 2024 this number jumped to 83%. And in a dramatic shift, the number of organisations experiencing six to 10 attacks in the year doubled from 13% to 25%.
Understanding Insider ThreatsAn insider threat comes from individuals within the organisation—employees, contractors, or trusted partners—who have access to sensitive data or systems and abuse that access, either intentionally or unintentionally. These threats can take several forms, such as:

• Malicious insiders: These are individuals who deliberately leak or misuse information for personal or financial gain.
• Negligent insiders: Employees who unknowingly compromise security by mishandling sensitive data, using weak passwords, or falling prey to phishing attacks.
• Third-party insiders: External partners, vendors, or supply chain members who have access to an organisation’s systems and accidentally or deliberately cause harm.

While external cyberattacks often grab headlines, insider threats are harder to detect, more personal, and sometimes more damaging because the individuals involved are already trusted with sensitive information.
Why Insider Threats are on the RiseSeveral factors have contributed to the rise of insider threats:

1. Remote Work and Hybrid Environments: With the shift to remote and hybrid work models, employees are increasingly working outside the secure perimeter of the office. This change has introduced vulnerabilities such as unsecured Wi-Fi networks, shared devices, and a reduced ability to monitor activity.
2. Complex Supply Chains: As organisations become more interconnected with suppliers, vendors, and third-party contractors, their exposure to insider threats increases. The more external entities have access to your network, the greater the risk that something could go wrong.
3. Economic Pressures: Layoffs, job insecurity, and financial stress can motivate employees to act against their employer. Some disgruntled employees may choose to sell proprietary information or compromise systems out of revenge or for profit.
4. Access to Advanced Technology: Employees with access to advanced tools and systems may unintentionally misuse them, leading to accidental data breaches or system compromises. Furthermore, as artificial intelligence (AI) and automation tools evolve, they might also introduce new ways for insiders to exploit vulnerabilities.
5. Sophisticated Phishing Attacks: Attackers have also become more adept at targeting insiders through highly convincing phishing schemes, tricking them into unwittingly sharing credentials or other critical data.

How Organisations Can Address Insider ThreatsAddressing insider threats requires a multi-layered approach that combines technology, culture, and clear policies. Below are several strategies organisations can adopt:
1.Conduct Regular Insider Threat Risk Assessments
Start by conducting a comprehensive risk assessment to identify vulnerabilities related to insider threats. This can be done as part of a broader cybersecurity audit, where you examine access controls, user behaviour, and high-risk employees or third-party partners. Consider an **independent, human-centric audit**, which not only evaluates your technical safeguards but also assesses human behaviour, motivations, and organisational culture to gain deeper insights into potential threats.
2.Implement Strong Access Controls and Monitoring
To prevent misuse of sensitive data, enforce the principle of **least privilege**—only granting employees the minimum level of access necessary to perform their job functions. Regularly review and update access controls, especially when employees change roles or leave the company.
Use monitoring tools to track employee activity across systems, focusing on unusual behaviours like downloading large amounts of data, accessing systems after hours, or logging in from unexpected locations. Advanced behavioural analytics can identify anomalies that may indicate insider threats, without excessively intruding on employees' privacy.
3.Promote a Culture of Security Awareness
A strong security culture is one of the most effective ways to combat insider threats. Training employees on security best practices, such as how to spot phishing emails, securely handle sensitive data, and recognize suspicious behaviour, is essential.
Fostering a culture where employees feel valued and engaged reduces the likelihood of malicious insider threats. When staff feel secure in their roles and see that the organisation prioritizes their well-being, they are less likely to engage in retaliatory actions. Promoting job security, clear communication, and support can go a long way in reducing insider risks.

1. Deploy User-Friendly Technology Solutions

Ensuring that security tools are not overly complex or burdensome for employees is key to minimizing accidental insider threats. Employees frustrated with difficult or slow-to-use systems may inadvertently bypass security protocols, introducing risks.
User-friendly technology that supports employees, rather than hinders them, is critical. Implement cybersecurity solutions that are both AI-enhanced and human-centric, ensuring that they adapt to user behaviour while maintaining high security standards. For example, intelligent password management solutions, AI-driven anomaly detection, and automated compliance tools can help reduce risks without overwhelming employees with too many manual processes.
5.Monitor and Vet Third-Party Partners
Supply chains and third-party vendors are a common source of insider threats. Regularly vet third-party partners to ensure they meet your organisation’s security standards. Implement stringent access controls for external users and require multi-factor authentication (MFA) for any third-party access.
It is also important to have clear contracts that hold third-party vendors accountable for maintaining the security of your systems and data.
6.Establish Clear Incident Response Plans
Despite your best efforts, insider threats may still occur. Having a clear incident response plan in place is crucial. This plan should outline how to detect, investigate, and respond to insider threats efficiently. Include steps for containing the breach, preserving evidence, and reporting the incident to the appropriate authorities. Regularly update and test the plan to ensure its effectiveness.
Insider threats are an evolving and complex cybersecurity challenge for organisations of all sizes. By understanding the different types of insider threats and addressing both the technological and human elements, organisations can protect themselves from these risks. Through regular audits, strong access controls, security awareness training, and the implementation of human-centric, user-friendly technology, you can significantly reduce the likelihood and impact of insider threats on your organisation.
Proactively addressing insider threats not only protects your organisation’s assets but also strengthens trust within the workforce and supply chain—creating a more resilient, secure business ecosystem.