Governance Best Practices

Implementing a Top-Down Approach to Cyber Security: 5 Steps to Integrate Cyber Risk into Enterprise Risk Management

Since the start of the 21st century, information technology has transitioned from supporting cast to centre-stage. From its initial role as business enabler, IT now comprises the very fabric of organisational infrastructure, as critical as physical buildings and personnel. Indeed, in the current climate, technology and data have superseded physical infrastructure and are mission-critical at an existential level for the vast majority of businesses. But as companies have digitally transformed to gain efficiencies and competitive advantages, they have incorporated a considerable amount of cyber risk.

So, what happens when infrastructure and data are threatened by external cyberattacks, insider threats or employee errors? When a cyber incident could bring a business to a standstill, how should organisations be realistically managing cyber risks, and where does the balance of responsibility lie between the business and the board?

Moving Beyond the Bottom-Up Approach

Larry Clinton, President of the Internet Security Alliance, recently summed up the challenge facing organisations when speaking at the Diligent Modern Governance Summit 2020, saying:

Cybersecurity has traditionally been a bottom-up approach designated as an IT problem, but it’s not an IT problem. It has an IT component, but it is an enterprise-wide risk management issue. So, we need oversight from the board of directors to set the environment for good cybersecurity culture and to put in parameters for cultural support, including economic support, so the entire organisation can embrace cybersecurity and follow best practices.

A cybersecurity breach or system failure can affect the entire business, from the immediate operational impact to the knock-on financial effects, reputation damage and the legal ramifications of compliance failures. So, given that cybersecurity risk has historically been siloed into the IT department, how can boards and management teams change their approach to reach the end goal Clinton describes of cyber risk management being “a handshake between the management structure and the board structure involving the entire organisation”?

Clinton laid out five specific steps:

Step 1) Speak the board’s language

Part of the problem with engaging boards in cybersecurity risk is the language barrier. Faced with technical information about penetration testing, threat hunting and next-generation antivirus, most directors are out of their comfort zone. Instead of forcing the board to learn a new language, cyber risk must be presented in board vernacular.

Reports to the board should relate to the business process, rather than the operational process, and vulnerabilities should be interpreted in terms of what they mean for the business. The board might not be interested in a customer database that has been exposed in an incorrectly configured cloud, but they might be extremely interested if that database belongs to an acquisition target and the subsequent GDPR fine could fall on their shoulders. In fact, cybersecurity risk is a material issue in most board decisions, from mergers and acquisitions to new product launches and strategic partnerships – all of these can introduce new risk. It must therefore be included in all discussions related to these activities.

Today, boards need to stop thinking of cybersecurity as a peripheral issue and include it in decision-making in the same way that financial and legal factors have always been considered. As Larry Clinton underlined: ““There is not a single major business decision [today] that does not include cybersecurity considerations. Cybersecurity needs to be woven into the entire process…. That’s the message about cybersecurity: We’re all in this together!”

Step 2) Empower the board to ask the right questions

The board’s ability to provide effective oversight of cybersecurity depends in part on its familiarity with the relevant issues. This may mean co-opting outside experts or including cybersecurity in the skillset of new board appointees when undertaking succession planning.

But it isn’t necessary for every director to become a cybersecurity expert; they simply need to understand the threat areas, such as insider risk and third-party cyber risk, well enough so they are able to ask the right questions. Then they can challenge management and help it move forward in its strategy for responding to a constantly changing threat landscape.

There are several handbooks that can assist boards in building their security knowledge, including the ISA and NACD’s Cyber-Risk Oversight 2020 for Corporate Boards, which is a freely downloadable publication.

Step 3) Develop and implement a framework for cyber risk

Empowering boards to engage effectively with cyber risk requires management teams to develop and implement a framework for managing it. This should have two aspects, advises Larry Clinton. First a technical framework that aligns the organisation to cybersecurity standards such as NIST, ISO, SOC2 and/or the standards relevant to the sector in which the business operates. This framework should deliver the context of what data and systems the organisation and its key partners have and how they operate and interact. Second, a framework for the governance of cyber risk and how it is managed across the business. This should incorporate cyber risk monitoring and the strategies for managing cyber incidents and should be led by someone with cross-organisational authority. Furnished with this framework the board is better positioned to set meaningful cyber risk tolerance.

Step 4) Set realistic cyber risk tolerance and management parameters

Cyber risk is a risk like any other, and businesses only succeed if they take calculated risks, whether that is who to trade with, which customers to give lines of credit to, or which new markets to enter. More than that, it is also naïve to think an organisation can have a zero-tolerance approach to cyber risk. The intensive external threat landscape and the less malicious, but no less damaging, threat of employee mistakes mean a degree of risk is inevitable.

Directors must establish what degree of risk they are prepared to accept. For example, if the company is pursuing an aggressive acquisition strategy, it may be necessary to accept the higher cyber risk that may reside in acquired companies and ensure a strategy is in place to bring those acquired companies into alignment. Risk may be mitigated in this way or transferred via tools such as cyber insurance policies against, for example, ransomware attacks.

Accepting a degree of cyber risk also entails that directors prepare to respond to a cyber incident as it is a matter of when, not if, one occurs. This means running incident response exercises and testing different scenarios for responding to a cyber-instigated crisis.

Step 5) Set the tone from the top

Cyber risk is a risk like any other, and businesses only succeed if they take calculated risks, whether that is who to trade with, which customers to give lines of credit to, or which new markets to enter. More than that, it is also naïve to think an organisation can have a zero-tolerance approach to cyber risk. The intensive external threat landscape and the less malicious, but no less damaging, threat of employee mistakes mean a degree of risk is inevitable.

The message must be that cybersecurity is everyone’s business, from the personal cyber-hygiene involved in staying alert to phishing attempts and not using unsecure channels for confidential communications, to the advanced AI-powered antivirus technology deployed by the cybersecurity team. It is a marriage of people and process, and risk exists at the interaction of the two.

Directors need to support the human layer of cybersecurity by endorsing safe data management practices across all areas of the organisation and ensuring that their own communications are protected and supported by secure board governance technology.

Cybersecurity is one of the most wide-ranging strategic risks faced by boards today. Boards must be equipped to understand it and grasp that “handshake with management” to determine a practical approach to cyber risk that enables the business to move forward across all its activities in a complex and highly integrated digital ecosystem.

Featured Blog