Episode 8

What Does Good Cyber Governance Look Like? A Legal Perspective

From the standpoint of cybersecurity governance, how does an organization stay on the right side of the law? Rois Ni Thuama, Ph.D. (Doctor of Law), Head of Cyber Governance, Red Sift, spoke with great clarity and eloquence in explaining what it means to practice good and sensible cyber governance. She emphasized the importance of looking to expert sources and established security frameworks for guidance, addressing foreseeable and avoidable threats, and making cybersecurity investments that would be deemed (by the courts) proportionate and affordable. Highlighting the importance of strong governance, Rois said, "it is never the widget that’s the problem, it is always weak leadership, weak governance, lack of accountability, lack of responsibility, these are the big issues that need to be addressed.” She also encouraged a regular legal review of cybersecurity practices, based on the assumption that “you have to defend your decision-making in a court of law.”

Memorable Rois Ni Thuama Quotes/Statements

“We are not going to be able to tackle everything, but you don’t need to be able to tackle everything. But you do need to be able to address reasonably identifiable circumstances, that could lead to malfunction, capacity overrun, failure, disruption, impairment, misuse, all of those bad things right."

"When you come to court, you really want to nail down everything that is foreseeable and avoidable. Whatever size your firm is, what's reasonably foreseeable and what's avoidable, address those.”

"When you look at big corporate scandals or breaches that have a physical effect, it is never the widget that’s the problem, it is always weak leadership, weak governance, lack of accountability, lack of responsibility, these are the big issues that need to be addressed and it is the same with cybersecurity."


1:55 -- What does it mean to practice good and sensible cyber governance?

5:21 – From a legal perspective, what are the key elements of a robust cybersecurity program?

7:02 – What should be some lessons learned from cybersecurity breaches that organizations have experienced?

12:37 – Is there any best practice that you see out there in terms of how best to incorporate legal or embed legal in cyber governance?

20:14 – How effective are the current laws and regulations to demand top management commitment towards strong due diligence?

26:16 – Organizations could benefit from simulated exercises to assess their legal vulnerabilities in the event of different forms of attacks. Your thoughts?

29:27 – It is important to raise the overall level of awareness of being on the right side of the law when it comes to cybersecurity preparedness. Your thoughts?

32:00 -- What advice do you have for global organizations to be on the right side of cybersecurity laws and organizations of different countries? 

36:55 – From a legal standpoint, could one put together a more ironclad agreement whereby the vendors have a little more skin in the game?

41:50 – Any final thoughts?

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.