Cyber threats are some of the biggest challenges organizations face, but cybersecurity failure is still seen as a critical short-term risk.
The lack of ‘cybersecurity readiness’ leaves companies vulnerable and at risk of major disruption in case of a cyber attack.
Board members must actively embed cybersecurity risk management from the top down and demand cyber risk indicators are presented in financial and economic terms.
Cyber risk is one of the main challenges that organizations face today. The World Economic Forum’s Global Risks Report 2022 highlights how cyber threats have intensified through digital transformation and growing digital dependency.
Cybersecurity failure, however, is still perceived to be a critical short-term risk, according to the report, and high-value companies are often breached, leading to significant negative impact on their performance.
Simple ransomware attacks have disrupted global companies for multiple weeks, leading to hundreds of terabytes of sensitive data being publicly published and even stock prices dropping temporarily by as much as 10%.
Companies are increasingly left vulnerable due to a lack of ‘cybersecurity readiness’ and are therefore prone to ongoing phishing attacks, that expose weaknesses in the systems such as stolen passwords or unpatched servers.
80% of Firms Have Suffered a Cybersecurity Breach
A recent study by Acronis showed that 80% of companies had suffered a cybersecurity breach over the past year, up from 68% from the previous year.
Meanwhile, 9% of the companies experienced at least one cyber-attack per hour, illustrating the current high levels of risk.
This indicates that organizations are increasingly vulnerable to cyber attacks on their businesses, yet most lack readiness in response, which is not at par with the growing sophistication of the attackers.
Most executives and board members are aware of key global cyber threats and recognize cybersecurity risk as an enterprise-wide risk, but not everyone understands the impact of these cyber risks and their economic drivers.
It is therefore imperative for organizations to implement capabilities to strengthen cyber resilience and ensure board members play an active role in leading this shift.
Boards Should Prioritize Cyber Risks in Planning
A new proposal from the US Security and Exchange Commission on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure highlights the need for board members to prioritize cyber risks in their planning.
Within this context, the World Economic Forum, in co-operation with the National Association of Corporate Directors and the Internet Security Association, published the Principles for Board Governance of Cyber Risk report in 2021.
This report describes the six principles that can help boards of directors with cyber risk governance which are: cybersecurity as a strategic business enabler; understand the economic drivers and impact of cyber risk; align cyber-risk management with business needs; ensure organizational design supports cybersecurity; incorporate cybersecurity expertise into board governance; and encourage systemic resilience and collaboration.
The fourth principle, “ensure organizational design supports cybersecurity” highlights the need to view cybersecurity from a strategic lens and ensure that internal governance mechanisms are established to address risks.
In order to implement this principle, key questions to consider are:
Who is the owner of the cyber risk in the organization and what is their role?
Does the cyber risk reporting process include all business units and take into account key business decisions?
What are the key performance indicators pertaining to cybersecurity for internal stakeholders?
With this information, the board can fairly assess and evaluate the financial and economic impact of cyber risk relative to other enterprise-wide risks and determine the organization’s risk appetite, as well as establish accountability and risk ownership.
Once accountability and risk ownership has been defined and agreed upon across the organization, it is vital to develop a cybersecurity governance structure that is aligned to an organization’s business strategy.
Cybersecurity targets and objectives should be defined in alignment with the overarching strategy and the cybersecurity team should be consistently engaged with business representatives, executive leadership, and the board on both a strategic and tactical level.
The involvement of senior management and the board of directors is critical in many ways, as their role is to actively embed cybersecurity risk management in the organization top-down and demand cyber risk indicators be presented in financial and economic terms, so that they can be effectively compared to other risks and priorities in the company, while providing oversight on how cyber risk is monitored.
Strategic Involvement is Vital to Secure Assets and Services
A cybersecurity strategy must be defined with a high-level plan for how your organization will secure its assets and critical business services in the short term and long term. As technology and cyber threats are unpredictable and constantly evolving, it is essential to account for updates to the strategy in the long term.
To develop a cybersecurity strategy that is aligned with organizational goals, clear lines of communication between the executive team and the cybersecurity organization should be established. Key points being:
Chief information security officer (CISO) involvement
The CISO is a member of the executive committee. He/she joins executive meetings and calls, is included in strategic and product planning sessions, sales and marketing reviews, and so on, so the security organization is aware of upcoming changes and can prepare for necessary support in advance. Additionally, the business is aware of key cybersecurity risks to consider prior to rollout of any technology transformation initiatives or product launches.
A cybersecurity committee with key stakeholders across the CISO organization should be established to periodically discuss progress made during the year, cyber risk insights, and priorities for future state planning, considering critical elements to achieve maximum impact in the areas of governance, technology and operations.
A board level steering committee should be established with stakeholders across the CISO, chief information officer, chief revenue officer, audit and legal organizations. During these committee meetings, security priorities should be reviewed and future roadmap initiatives should be discussed and iterated upon, to ensure integration across all areas of the organization and associated impact. In this context, reporting is of great importance in order to outline how the organization can more effectively manage and understand the economics of cyber risk.
The security organization communicates directly with the board of directors to report on cybersecurity programme maturity and raise issues that may impact shareholders, or their own organization within the ecosystem. It continues to be important for board members to increase their knowledge on how to address cybersecurity within their organizations. The direct communication offers an opportunity for the board to increase their understanding of cyber risk and provides guidance for interactions as they more fully embrace their role with regards to cyber risk.
Cross-Functional Coordination Can Strengthen Response Capabilities
While the security team is often at the forefront of cybersecurity incident response, coordination with other teams, as well as broader organization-wide awareness, will be critical in strengthening response capabilities. Multiple initiatives to collaborate with other departments should be implemented:
- Training: The security team should develop training modules for board members focused on providing foundational cybersecurity knowledge and skills needed to protect sensitive data and respond to cybersecurity incidents. Additionally, board members should also be involved in tabletop exercises and simulations to respond to cybersecurity scenarios. These exercises not only allow board members to be better aligned and aware of their responsibilities during a security incident, but also help organizations to continuously improve their existing processes and build upon lessons learned.
- Open communication: The security team should develop an internal blog or workspace to publish project updates, announce upcoming changes, and collect feedback across the organization. The team can also leverage Cybersecurity Awareness Month to boost broader awareness and participation in security programme initiatives.
Interaction models: The security team should work closely with technology and business partners within the organization and define key process handoffs, accountabilities, and interaction models to ensure cybersecurity risk considerations are appropriately integrated in business decisions (for example, evaluation of new vendors, potential acquisitions, new product functionality assessments). Additionally, business line feedback should be solicited for continuous improvement of security programme initiatives and investment decisions.
Collaboration is Key to Being ‘Cybersecurity Ready’
As our world becomes increasingly digitized, a push from the board for cross-functional collaboration across the organization will allow the security team to be better aligned with business needs.
It is key for organizations to have governance processes and structures that encourage communication and support the implementation of cybersecurity readiness initiatives.
Cybersecurity must be a core strategic priority, and ownership and accountability for cybersecurity risk management activities must be adopted both within and outside the CISO organization.
It takes some effort to change existing structures and introduce new processes to elevate the conversation of cybersecurity risk considerations. This change has to be supported by the board and executive management in order to be successful:
Appropriate authority needs to be established for the CISO.
Owners of cybersecurity risk management activities outside of the CISO organization should be held accountable.
Incentives to encourage business unit teams to engage security teams should be defined for effective cybersecurity risk management.
Reporting processes and committees should be established to facilitate communication of key cybersecurity metrics, risks, and issues for transparency.
The ultimate protection against cyber threats is that of instiling an organizational culture that is ‘cybersecurity ready’ and that is knowledgeable and prepared to mitigate the risks at all levels of its strategy and operations.