Is cyber security being given the prominence and funding it deserves in the boardroom? Despite an ever-growing list of headline-stealing, wide-reaching attacks, there is a sense that senior board members are still not taking the threat as seriously as they should. This statement is supported by Lindy Cameron, a chief executive of the National Cyber Security Centre (NCSC). In October’s keynote speech at Chatham House’s Cyber 2021 conference, Cameron singled out ransomware as the biggest threat to businesses.[1] This assessment came as no surprise to chief technology officers and chief information and security officers. But as the sophistication of attacks evolves, are they translating this rising risk to board members?
The NCSC reported that they handled 723 incidents between 1 September 2019 and 31 August 2020, up from 658 the previous year[2], around 10% increase YOY. It seems that the conversation must be reframed to a risk discussion. CTO/CIOs and CISO should gain more airtime in the boardroom stressing that cyber risk must be managed and mitigated or else the business could suffer serious reputational damage.
Additional ways to support the importance of cyber risks with the board would be to suggest improving company culture. By making the case that the biggest cybersecurity weakness is human error, CTO/CIOs and CISOs can push for a top-down cultural transformation – a transformation they can drive.
It’s important for the board to recognise that it is not “just” about the company but can also affect them personally, so realising that they could lose their footing at the business if appropriate action is not taken. This happened to Dido Harding, who in 2017 resigned her role as Chief Executive at TalkTalk, eighteen months after the company was hit by a cyber-attack affecting tens of thousands of customers.
Shock tactics: how to make boards realise cyber risk
“The impact of a ransomware attack on victims can be severe,” Cameron said in a recent interview with Raconteur.[3] “I’ve heard powerful testimonies from CEOs facing the repercussions of attacks they were unprepared for. Attacks can affect an organisation’s finances, operations and reputation, both in the short and long term.”
The NCSC CEO warned that boards should not blame their security teams if—or rather when—a breach occurs. Defending against cyberattacks cannot be dismissed as “just a technical issue,” Cameron said. The message was clear: it’s a board-level matter that demands action from the very top of businesses.
To illustrate her point, she added: “A CEO would never say they don’t need to understand legal risk just because they have a General Counsel. The same applies to cybersecurity. We need to go further to ensure good practice is understood and resilience is being built into organisations. Investing resources and time into putting good security practices into place is crucial for boosting cyber resilience.”
A World Economic Forum report—Principles for Board Governance of Cyber Risk, published in March 2021—echoed Cameron’s assessment.[4] It noted: “Cyber risk is among the top risks facing businesses today, and it has become clear that boards, especially, need stronger foundations to govern cyber risks effectively. Companies that effectively manage the entire portfolio of risks, including cyber, do better in the marketplace.”
In terms of ranking risks, cyberattacks are unique. They aren’t readily perceptible and they strike every aspect of an organisation—human resources, finance, operations and more—meaning they are tough to contain without the right processes in place.
Sharing knowledge and ownership
While every risk should have an owner, boards sometimes struggle with clarity around cyber, as it is no longer a sub-risk under IT risk. By raising this as a concern, CTO/CIOs and CISOs will create an opportunity to have a constructive conversation with the board about who the risk belongs to. Determining a shared responsibility will help firm up response and recovery processes.
Is a lack of comprehension at the board level the most significant challenge? Research from the Harvard Business Review, published in September 2020, suggests so. It points out that while many boards are now discussing cyber security more frequently, the true nature of the risk is not well understood.[5]
The discussions with the board needs also to go one level up and change it from cyber security to cyber safety, just by the fact that one understands the risk doesn’t mean that they are secure, to reach cyber safety they’ll need to adopt a more proactive approach, allocate more cyber focused time at board meetings, increase cyber budget and have a process in place.
Board members need to start accepting that cyber breaches are a high risk, and those with expert knowledge can take the opportunity to offer one-on-one training behind closed doors, every board member would likely jump at the opportunity to learn about cybersecurity away from others. Ultimately, this tactic will help further conversations and, more importantly, forge the bond between CTO/CIO or CISO and the lever pullers. With cyber risk likely to expand in the coming years, the strength of that relationship will be increasingly business critical.