Major advances in everything from connectivity, mobility and big data to artificial intelligence, machine learning and the Internet of Things mean that technology now forms the nerve centre of every industry; we simply can’t operate without it. Technology has moved from enabler to mission-critical. This degree of dependency is not without risk. The downside of all of the commercial opportunities and societal advancements is the increased potential for our symbiotic relationship with technology to be disrupted and exploited. With business continuity, compliance and reputational factors now all inextricably linked to the strength of an organisation’s cybersecurity regime, it’s no wonder that security is high on board agendas.
The good news is that evidence from a recent study by Protiviti suggests that a board which is fully engaged with management on cyber risk and security actually helps the company mitigate risks. Such organisations performed better in understanding where critical data lies, how it is classified and protected, and how security is communicated to employees. Still, the rapid pace of technology change and the constantly evolving threat environment mean that many boards lack confidence when assessing cyber risk and challenging senior management on their security strategy. What key areas should boards focus on to improve their performance in this area and deliver leadership that drives a culture of security throughout the organisation?
1. First Things First – Understand your Boards Attitude to Cyber Risk and Prepare to Respond to Incidents
In an ideal world, companies would have zero tolerance to cyber risk, but the world is far from ideal and the threat environment too complex for this to be a realistic approach. The fact is that cyber breaches are inevitable, and what’s needed is a pragmatic approach to defence and a solid plan in place for when they occur.
The board needs to understand the risks associated with the data that the organisation holds and the potential consequences of a major theft or a disruption of systems. It then needs to agree with management on the level of disruption that is permissible. This will vary depending on the nature of the organisation. A retail business, for example, risks financial losses if its website is hacked, whereas disruption to hospital systems could result in threat to life.
Manage your organisation’s governance, risk and compliance with Diligent’s entity management software. Find out more here.
Once the organisation’s risk posture is established, management and security teams can effectively mitigate against risk on a clearly defined basis. The risk posture sets the priorities for investment in each security area and focuses in on the high-risk material threats to continuity, compliance and reputation. The board’s ongoing role is then to provide oversight of the strategy and to challenge it regularly to ensure that the programme evolves appropriately to the threat environment.
Boards should also make their own preparations and undertake training on how to respond to a cyber-attack. In a crisis, the actions of directors and senior management make the difference between a competent, confident response that restores faith in the organisation and an escalating disaster. Commenting to SC Magazine on the fact that 68% of FTSE company boards had no training in dealing with a cyber-incident, Paul Taylor, UK Head of Cyber Security at KPMG, said: “…knowing how to deal confidently with an incident in the heat of the moment can save time and money. The aftermath of a cyber-attack, without the appropriate training in managing the issue, can result in reputational damage, litigation and blunt competitive edge.”
2. For the Short Term: Break the Reactive Security Cycle and Get to Know Your CISO
Too often, cybersecurity can seem like an exercise in firefighting, with organisations stuck in a breach-response cycle that prevents them from taking a more strategic approach. The board is in a good position to help change this by actively challenging management to take a higher level and more long-term view of security.
One executive who will welcome this approach with open arms is the Chief Information Security Officer (CISO). The CISO’s profile has risen in tandem with the growth of the threat environment, meaning that today’s CISOs don’t just possess solid technical skills, they are also responsible for change management, compliance and building business cases for strategic security investment. These are all things that they should be reporting to the board, yet according to the UK Government’s Cyber Governance Health check report, only 31% of UK boards currently receive security information on a regular basis.
Engaging with the CISO gives the board valuable insights into the changing threat environment and its potential impact on business objectives. The CISO should also highlight the wider company activities that can affect the security posture, such as changing technology deployment, e.g., moving to a more mobile workforce or collecting data from internet-enabled devices. While these activities can both deliver enormous operational benefits, they also increase the number of opportunities for cybercriminals to try to access the organisation’s network and, therefore, raise overall risk.
3. For the Medium Term: Invest in Employee Education
Get any group of security experts in a room and they will agree: The biggest risk to most organisations’ security is its people. All the safeguards in the world can’t stop inadvertent breaches by employees who don’t understand the risks. Boards should be enthusiastic supporters of employee education programmes that teach staff how to keep the network safe by being alert to schemes such as phishing emails, attempts at social media engineering, and the need to follow the correct security procedures regarding mobile network access and secure communications.
This is an opportunity for the board to lead by example by ensuring that directors are aware of the importance of keeping devices and communications secure. Board information and meeting minutes can be particularly sensitive and an attractive target for cyberthieves bent on corporate destabilisation, yet many directors use personal email systems to communicate on board issues. This was a risk that was thrown into the spotlight when former US Secretary of State Colin Powell’s personal email was hacked, revealing a smorgasbord of confidential information, including the target list for the Salesforce M&A programme. In an environment in which both company and personal systems are constantly under threat of attack, organisations should bring board communications in from the wild and ask directors to use secure communications channels when transacting board business.
Find out how to keep sensitive board communications secure with this whitepaper: Ten Practical Guidelines to Improving Board Communication
4. For the Long Term: Strengthen Board Expertise
Part of board reticence in confronting cyber risk undoubtedly lies in a lack of direct experience. Analysis published by Deloitte on the boards of FTSE 100 companies in 2017 found that only 5% of boards had a director with any experience in the sector, despite those same boards listing cyber-attacks as a principal risk. The threat environment is only going to intensify as the constant cat-and-mouse game between cybercriminals and security experts continues, so strengthening board expertise in this area is the only responsible approach. In future, it will be as unthinkable for a board of a major organisation not to have a director with security experience as it would be now for there to be one with no financial management expertise. This skill set should be factored into board recruitment strategy so that director experience matches the challenges the company faces.
Defending against the escalating cyber threat environment has become part of the cost of doing business for today’s organisations. With technology inextricably woven through critical systems, cybersecurity is everyone’s responsibility, not least the board’s. In its role as protector of shareholder interests and arbiter of governance and compliance, the board has a crucial part to play in setting a security culture throughout the organisation.
November 30, 2020
The Technological Revolution: How Technology Drives Innovation in the Boardroom
If the board is not examining its own practices and not looking for better, more efficient and more process-driven solutions to routine tasks, then there’s every chance that such a laissez-faire approach to innovation and forward-thinking will permeate the rest of the business too. As Board Agenda’s Managing Editor Gavin Hicks noted in the recent Diligent/Board Agenda webinar: “Companies that innovate succeed. Those that don't often fail.” So what practices should boards be evaluating to utilise the technological revolution and embrace innovation?
September 19, 2019
What is the Diligent Governance Cloud?
In the quest for good governance, companies have focused heavily on finding efficient, cost-effective solutions for risk and compliance issues. Even while the market has placed the importance of practising good corporate governance in the limelight, governance solutions have lagged behind risk and compliance solutions. Diligent designed the…
November 16, 2018
Cybersecurity – The Disconnect Between the Chief Information Security Officer and the Board
Chief Information Security Officers (CISOs) need to better communicate strategies and initiatives to board members. UK companies are under threat from cyberattacks, yet only about five per cent have a Chief Information Security Officer, either on the board or working with the board, a recent Deloitte poll shows.