u003cpu003eA few years back, cybersecurity was something that did not get a lot of attention from boards. Today, when scanning headlines and news about the latest high-profile cyberattacks, your blood pressure elevates as you wonder: could that happen to us? What would be the impact on our business? How would we respond to customers and shareholders? With such high stakes, most of us would agree that cybersecurity deserves full attention from the highest levels of an organisation.u003c/pu003eu003cpu003eA cyberattack or breach is not a matter of u0026ldquo;if,u0026rdquo; but u0026ldquo;whenu0026rdquo;. When it does happen, preparation is everything. Although many boards recognise that cybersecurity is a risk that requires their specific attention, most struggle to define a comprehensive approach that will genuinely manage risk, rather than piecemeal initiatives with the hope that they are sufficient. As a result, the question remains as to whether the response to cybersecurity threats is adequate.u003c/pu003eu003cpu003eOrganisations are unique and each needs to set its own direction and tone for cybersecurity. All aspects of a business including strategy, business development, supply chain, staff and customer experience will be impacted. In coming years, managing cyber security will potentially require radical changes to businesses and their operations.u003c/pu003eu003cpu003eFrom our engagements in different industry sectors, it is apparent that there is a need for a pragmatic approach to govern cybersecurity that is grounded in practical experience. There are many frameworks for the management of cybersecurity. However, there is little practical guidance as to what boards should consider in the governance of their organisation with regard to cybersecurity.u003c/pu003eu003cpu003eu003cstrongu003eHow can boards address the risk of cyber exposure within their organisation?u003c/strongu003eu003c/pu003eu003cpu003eBoards need to align their cyber strategy with their business strategy and goals. This would enable them to understand and quantify their cyber risk environment. Itu0026rsquo;s imperative to protect whatu0026rsquo;s important by putting in place the right people and processes, so that they know where their critical information is located and how to safeguard it. Being secure enables organisations to reach new markets, suppliers, partners and continually adapt to changing customer demands.u003c/pu003eu003cpu003eu003cstrongu003eAre board members supposed to manage cyber risk by themselves?u003c/strongu003eu003c/pu003eu003cpu003eAs the cyber threat landscape evolves, boards have to continue to look for ways to get a better handgrip on how to oversee cybersecurity risk. Boards do understand the potential damage a breach can cause, but there is often a knowledge and translation deficit that can weigh on directors. Boards arenu0026rsquo;t expected to have all the answers related to cyber risk, but they do need to engage with management and challenge them by asking the right questions, so they can stay on top of this complex and dynamic risk.u003c/pu003eu003cpu003eu003cstrongu003eWho has the responsibility to drive a cybersecurity culture?u003c/strongu003eu003c/pu003eu003cpu003eIt all comes down to leadership and accountability. If the culture of the executive team says, u0026ldquo;This is an IT problem and weu0026rsquo;re just going to have some security guy deal with it,u0026rdquo; this allows everybody to ignore their own responsibilities and assume some worker bee is going to handle this. But, if leadership recognises that itu0026rsquo;s each and everyoneu0026rsquo;s responsibility to identify risks, then itu0026rsquo;s a totally different mindset.u003c/pu003eu003cpu003eA culture of accountability doesnu0026rsquo;t mean everything is going to be perfect, but everybody will play their part to manage cyber risks. For example, the chief executive and executives in charge of sales, marketing, finance and operations, etc. need to understand their role in cybersecurity, in managing digital risk and in setting the right tone at the top.u003c/pu003eu003cpu003eu003cstrongu003eWhat prevents boards from implementing cyber strategy?u003c/strongu003eu003c/pu003eu003cpu003eThe cost involved to implement a cyber strategy is making boards think twice when it comes to protecting their information assets. It depends on the industry, but nobody wants to spend money that could be profit on something thatu0026rsquo;s not their core business.u003c/pu003eu003cpu003eDuring our discussions with boards, we noticed that there were primarily two types of investment for cybersecurity. Firstly, if an organisation had just been compromised, theyu0026rsquo;d spend money at it and hope this issue goes away. The stakes are high, executives tell us that they consider reputational damage as the most devastating impact of a cyber breach, tailgated by legal and enforcement costs.u003c/pu003eu003cpu003eSecondly, there are regulatory requirements for companies to be secure. However, there is still a presumption that implementing cyber strategy involves substantial investment.u003c/pu003eu003cpu003eLeaders need to acknowledge that cyber threats and cybercrime are issues that must be proactively addressed to move on the forefront of digital. They donu0026rsquo;t have to spend a lot of money to be secure, but they do need to be sure on the risks they are trying to address to secure their environment and build confidence in the digital future.u003c/pu003eu003cpu003eu003cstrongu003eHow could corporate leaders encourage their executives to think about security, when itu0026rsquo;s probably not something in their purview?u003c/strongu003eu003c/pu003eu003cpu003eWe encourage boards to start asking questions like: u0026ldquo;u003cemu003eWhat is the risk to our organisation; to our brand?u003c/emu003eu0026rdquo; This can result in discussions where everybody is thinking differently about things that matter the most. For example a marketing person might think: u0026ldquo;u003cemu003eI donu0026rsquo;t have anything to do with cybersecurityu003c/emu003e,u0026rdquo; but once you involve them in such discussions, it boils down to the impact of an attack on the brand. Marketing being all about the customers and brand, they do in fact, have a role and stake in preventing the attacks.u003c/pu003eu003cpu003eMost organisations, before you start that conversation, take the approach of: u0026ldquo;u003cemu003eWell, our system is not Internet facing; so weu0026rsquo;re secure.u003c/emu003eu0026rdquo; But if you start probing questions on how they would be affected, they think of things like impact on their pro-duct or what a security breach somewhere in the supply chain would mean for their business.u003c/pu003eu003cpu003eAnother question is, u0026ldquo;u003cemu003eWhat is your response when thereu0026rsquo;s an incident?u003c/emu003eu0026rdquo; Mature organisations will have an incident response plan, overseen by the chief information security officer who reports directly to the executive board. We encourage the board to ask, u0026ldquo;u003cemu003eWhat is your role if thereu0026rsquo;s an incident?u003c/emu003eu0026rdquo; It generates ideas on what theyu0026rsquo;d respond to their shareholders if and when something went wrong.u003c/pu003eu003cpu003eLeading companies are integrating cybersecurity, privacy and digital ethics from the outset which enables them to actively engage with existing customers and attract new ones. Boards and executives having a sustained focus on cybersecurity do more than protect theiru003cbr /u003e business; they enable growth in the digital age.u003c/pu003e
Cybersecurity : a business decision for leadership
