Does your exec board only offer lip service to cyber security and resilience?
- Published: Wednesday, 24 November 2021 09:49
There are increasing calls for organizational boards to take a strategic lead when it comes to cyber security and resilience. Yuval Baron explains why having the C-suite onboard is important and what true executive buy in looks like.
According to a report earlier this year by McKinsey, it has always been companies in regulated industries, such as banks and insurance companies, that have prioritized cyber security at the board level.
However, other industries are still behind the curve in terms of having technical representation at the senior executive table. CIOs and CTOs, along with directors with other IT backgrounds, constitute a small margin of board leadership globally.
In a survey conducted by Harvard Business Review, more than a third of respondents indicated that they struggle to stay on top of risk and security issues and new technologies while just 13 percent of boards sought technological expertise with their most recent director search. This results in an imbalanced over-abundance of directors with financial and management skills but not technical skills.
So why is having the C-suite onboard with cyber security so important?
It has become increasingly difficult to sit at the helm of a company and not assess the risks that exist both physically and virtually. Nor can implementing cyber risk measures replace informed decision-making at the executive level. The fact is that cyber attacks present a near existential threat to any company. In 2020, breaches exposed more than 37 billion records - the highest number of exposed records in a single year. The balancing act between an attacker and defender is asymmetrical: An attacker who fails in 99 percent of attacks and succeeds in just 1 percent of attacks is successful. A defender who fails in 1 percent and succeeds in 99 percent of the attacks is unsuccessful.
Previously, the job of understanding and quantifying cyber risk fell to the CISOs and their IT teams, who primarily addressed the technical side of the problem. The goal was to take stock of established defenses / defences and determine how vulnerable systems were. But the problem is this is a largely backward-looking approach and doesn’t consider the layered defenses organizations have in place, including efforts to intentionally deceive hackers attempting to study their weaknesses, as well as the risks of insider threats and accidental misconfigurations.
This traditional approach isolates cyber security decisions from the businesses that they are meant to serve. While technical assessments may be sufficient for the technical leaders, they do not always offer a risk-orientated, holistic, and validated view that considers the financial and business impacts of cyber security. Additionally, not all reports capture governance, culture, decision-making practices, or the wider treatment of a company’s cyber risk profile.
Board directors need to understand all of this if they expect to make informed decisions about, for example, where to allocate capital to improve cyber defenses and how to understand the business-impact of cyber threats, instead of investing in different departments.
Digital transformation is accelerating the need
This does not mean that all executives need to become technical experts. It means they need to be able to establish the company’s tolerance for cyber risk, define the outcomes that are most important in guiding cyber security investment and be able to foster a culture of cyber security and resilience.
In the past, CTOs and CIOs were more likely responsible for back-office outsourcing, procurement, and standardization. Fast forward to today and these positions are increasingly helping chart the course for long-term business strategy.
One of the reasons for this has been digital transformation. According to Gartner, digital transformation encompasses everything from IT modernization to the invention of entirely new digital business models. In the modern world, networks are spread over several public clouds and data centers, increasing complexity.
With this comes the need to constantly re-examine, update, and improve the use of digital technologies to solve business challenges. This reliance on digital technologies and business models poses new challenges, as companies need to understand the cyber security implications holistically across the hybrid network and ensure that cyber security is an accelerant, not a barrier, to digital transformation.
So, what can C-suites and company boards do to meet these growing needs?
Getting executive buy-in is more than just showing them reams of code and technical specifications. The threats and opportunities need to be translated into business language so that non-technical board members can understand the real-world negative outcomes of attacks caused by inaction. This includes financial and reputational costs and the forecasted return on investment.
As a minimum, CTOs and CIOs should be more visible at board level. However, to truly execute a digital transformation strategy, executives at all levels should have the digital skills necessary to drive the agenda across an entire organization and shift cyber security from an abstract to a substantial problem.
Yuval Baron is CEO and co-founder of AlgoSec.