As companies seek to integrate more and more new technologies into their business to stay market-ready and ahead of their competition, so grows the risk of a cyberattack disrupting operations or stealing valuable data. Often, companies are underestimating the number of cyberattacks they will face in any calendar year and while they may have a basic level of cybersecurity, more needs to be done to ensure there is cyber-representation at the highest level - the Board of directors. This is key to mitigating against cyber-threats as cybersecurity must be interwoven into the overarching business strategy and this can only happen from the top down.
Finding the right person for the job
Too often we see companies, especially SMEs, lacking any sort of direct cyber-representation at the top level. Even larger companies’ boards often don’t hire cybersecurity professionals; instead they’ve opted to pass that responsibility onto a CFO or similar executive who typically manages risk. However, the majority of CFOs are generally focused on reducing cost, rather than investing to manage risk. Even when an appropriate C-Suite member holds the responsibility, many of these are recruited with no prior experience in cyber. As such they are ill equipped to provide the necessary leadership and drive sound risk-based decisions.
Instead cyber-representation should be covered by either a CTO, CIO, CSO or more appropriately a CISO; it will depend on the size of the company as to whether this is a dedicated or shared role. Not only can they explain intricate technical issues and challenges to the rest of the Board that can impact business operations, but they can ensure that cybersecurity receives the necessary resources and funding it needs to provide robust protection for the business.
With an ongoing technical skills shortage, having a cyber-leader will also help companies hire and retain technical staff. A cyber-leader with strong experience will be well respected, improving the morale and overall work satisfaction of technical staff.
Developing a successful cybersecurity strategy feeds into the wider issue of how cyber is understood in terms of its key risks within the company. Many boards do not review regular KPIs or other metrics such as key risk indicators or board level risks, and so are unlikely to understand how their key risks are being managed. Some organisations may not even know what their risk appetite is, or even what cyber-threats their business is exposed to.
Without understanding these fundamental items, it is impossible for an organisation to consistently address cyber-threats and manage its risk. If the board is unable to disseminate this information you end up with pockets of good practice which are entirely based on the member of staff having experience and knowing what to do.
Companies can begin by conducting a cyber-maturity assessment to assess and discover the weak spots in the business that might be exploited by cyberthreats - be that a lack of personnel training on best practice or the IT infrastructure itself. Once aware of all vulnerabilities, a tailored strategy can be created to fix these areas and improve cybersecurity.
As part of this strategy, businesses must ensure they cater for Business Continuity and Disaster Recovery planning; this is crucial in order to prepare for any potential incidents that may affect the company. There have been many recent examples of system outages impacting large organisations such as Travelex; highlighting the importance of businesses preparing effectively for incidents. A big data breach can not only affect business operations, but also the company’s reputation, especially if customer data has been affected. Having a cyber-leader within the company can make it much easier to develop a proactive policy to deal with an incident, reassuring customers and protecting the company’s reputation.
Adopting a risk management approach
Ensuring that a CISO function which has the authority to enact real change within the business is in operation will ensure a consistent approach to risk management. Strong governance will actually drive cost down, as incidents will decrease and tool sets will be standardised across the enterprise. In addition, the CISO function provides the necessary evidence to support any investigation which will occur in the event of a data breach.
While it is not always possible to prevent a cyber-incident from occurring, the number and scale of incidents will be considerably reduced by ensuring the CISO function is operating well. This will also serve as the evidence required to prove to the Information Commissioner’s Office (ICO) or other regulatory bodies that the organisation is doing the right thing, which will reduce or remove any fine in the event of a breach.
As an expert in the field, a cyber-leader is key to helping companies understand, manage and mitigate the risks posed to the business. Conducting a cyber-maturity assessment and creating a cyber-strategy based off of the results are important first steps to protecting the company and helping stakeholders and the rest of the Board understand the necessary changes. Ultimately, a cyber-leader will set the tone for a company and work to safeguard the company’s reputation, finance and assets.
Peter Barnsley, Director Cyber Security, 6point6