A few years back, cybersecurity was something that did not get a lot of attention from boards. Today, when scanning headlines and news about the latest high-profile cyberattacks, your blood pressure elevates as you wonder: could that happen to us? What would be the impact on our business? How would we respond to customers and shareholders? With such high stakes, most of us would agree that cybersecurity deserves full attention from the highest levels of an organisation.
A cyberattack or breach is not a matter of “if,” but “when”. When it does happen, preparation is everything. Although many boards recognise that cybersecurity is a risk that requires their specific attention, most struggle to define a comprehensive approach that will genuinely manage risk, rather than piecemeal initiatives with the hope that they are sufficient. As a result, the question remains as to whether the response to cybersecurity threats is adequate.
Organisations are unique and each needs to set its own direction and tone for cybersecurity. All aspects of a business including strategy, business development, supply chain, staff and customer experience will be impacted. In coming years, managing cyber security will potentially require radical changes to businesses and their operations.
From our engagements in different industry sectors, it is apparent that there is a need for a pragmatic approach to govern cybersecurity that is grounded in practical experience. There are many frameworks for the management of cybersecurity. However, there is little practical guidance as to what boards should consider in the governance of their organisation with regard to cybersecurity.
How can boards address the risk of cyber exposure within their organisation?
Boards need to align their cyber strategy with their business strategy and goals. This would enable them to understand and quantify their cyber risk environment. It’s imperative to protect what’s important by putting in place the right people and processes, so that they know where their critical information is located and how to safeguard it. Being secure enables organisations to reach new markets, suppliers, partners and continually adapt to changing customer demands.
Are board members supposed to manage cyber risk by themselves?
As the cyber threat landscape evolves, boards have to continue to look for ways to get a better handgrip on how to oversee cybersecurity risk. Boards do understand the potential damage a breach can cause, but there is often a knowledge and translation deficit that can weigh on directors. Boards aren’t expected to have all the answers related to cyber risk, but they do need to engage with management and challenge them by asking the right questions, so they can stay on top of this complex and dynamic risk.
Who has the responsibility to drive a cybersecurity culture?
It all comes down to leadership and accountability. If the culture of the executive team says, “This is an IT problem and we’re just going to have some security guy deal with it,” this allows everybody to ignore their own responsibilities and assume some worker bee is going to handle this. But, if leadership recognises that it’s each and everyone’s responsibility to identify risks, then it’s a totally different mindset.
A culture of accountability doesn’t mean everything is going to be perfect, but everybody will play their part to manage cyber risks. For example, the chief executive and executives in charge of sales, marketing, finance and operations, etc. need to understand their role in cybersecurity, in managing digital risk and in setting the right tone at the top.
What prevents boards from implementing cyber strategy?
The cost involved to implement a cyber strategy is making boards think twice when it comes to protecting their information assets. It depends on the industry, but nobody wants to spend money that could be profit on something that’s not their core business.
During our discussions with boards, we noticed that there were primarily two types of investment for cybersecurity. Firstly, if an organisation had just been compromised, they’d spend money at it and hope this issue goes away. The stakes are high, executives tell us that they consider reputational damage as the most devastating impact of a cyber breach, tailgated by legal and enforcement costs.
Secondly, there are regulatory requirements for companies to be secure. However, there is still a presumption that implementing cyber strategy involves substantial investment.
Leaders need to acknowledge that cyber threats and cybercrime are issues that must be proactively addressed to move on the forefront of digital. They don’t have to spend a lot of money to be secure, but they do need to be sure on the risks they are trying to address to secure their environment and build confidence in the digital future.
How could corporate leaders encourage their executives to think about security, when it’s probably not something in their purview?
We encourage boards to start asking questions like: “What is the risk to our organisation; to our brand?” This can result in discussions where everybody is thinking differently about things that matter the most. For example a marketing person might think: “I don’t have anything to do with cybersecurity,” but once you involve them in such discussions, it boils down to the impact of an attack on the brand. Marketing being all about the customers and brand, they do in fact, have a role and stake in preventing the attacks.
Most organisations, before you start that conversation, take the approach of: “Well, our system is not Internet facing; so we’re secure.” But if you start probing questions on how they would be affected, they think of things like impact on their pro-duct or what a security breach somewhere in the supply chain would mean for their business.
Another question is, “What is your response when there’s an incident?” Mature organisations will have an incident response plan, overseen by the chief information security officer who reports directly to the executive board. We encourage the board to ask, “What is your role if there’s an incident?” It generates ideas on what they’d respond to their shareholders if and when something went wrong.
Leading companies are integrating cybersecurity, privacy and digital ethics from the outset which enables them to actively engage with existing customers and attract new ones. Boards and executives having a sustained focus on cybersecurity do more than protect their
business; they enable growth in the digital age.