When confronted with the prospect of regulatory change, boards often wonder whether they should jump into line or wait until they are pushed. If new legislation is inevitable, would it be wiser to get out in front of it, rather than reacting when it finally hits? When it comes to board engagement with cybersecurity, however, there should be no room for debate. Regulation will undoubtedly evolve, but there are far more compelling reasons to put cybersecurity high on the board agenda.
There is no denying the mounting threat posed by cyberattacks. Attackers are becoming ever more sophisticated, owing not least to a thriving market on the dark web offering the tools and programs required to launch complex attacks with a single click of a mouse.
Moreover, new threat actors are entering the fray. Organized crime groups are embracing cyberattacks as an extortionary tool. So, too, are nation states, particularly as geopolitical tensions rise amid conflicts such as Russia’s invasion of Ukraine and China’s threatening posture towards Taiwan. Research from Accenture and the World Economic Forum warns that 86% of business leaders think global geopolitical instability could lead to a catastrophic cyber event in the next two years.
A second driver of board engagement with cybersecurity is that most are currently reviewing strategic plans that will increase their organizations’ exposure and vulnerability to attacks. Almost every business now regards digital transformation as a strategic priority, but each new initiative creates another potential point of incursion, particularly where new systems are built on top of legacy IT, preserving the inbuilt vulnerabilities of the old system.
Technological change provides further impetus for boards. For example, threat actors have been quick to recognize the potential in generative AI to launch successful cyberattacks. They’ve already employed the technology in social-engineering attacks, tricking targets with highly convincing manipulations. Generative AI is also being used to write new malware
For all these reasons, boards now need to seize the initiative; in any case, regulators will soon demand that they do so. In the US, for example, the Securities and Exchange Commission (SEC) has already proposed that every publicly listed company should have to declare which of its board members have cybersecurity expertise, as well as details of that expertise. In Europe, the new EU Cyber Solidarity Act adds to the regulatory requirement.
However, in terms of cybersecurity, compliance represents nothing more than table stakes; superseding this, there is an opportunity for boards to embrace cybersecurity and resilience as value drivers. Digitally transformed businesses will succeed or fail on their ability to function as trusted providers of technology-enabled products and services. Resilience then becomes a crucial element of the brand narrative, inspiring customer confidence – or, if it is lacking, triggering doubt and anxiety.
Until now, relatively few boards have recognized the urgency of these imperatives. One recent study found that fewer than one in four board members believe that there is very likely to be an attack on their organization. This smacks of complacency: the UK Government has just published data suggesting that 69% of large businesses have been attacked over the past 12 months.
Moreover, while there are signs that boards are discussing cybersecurity more frequently, the quality of engagement is debatable. A brief quarterly update from the chief information security officer (CISO), say, is unlikely to be sufficient for boards to gain a comprehensive grasp of their organization’s cybersecure status. Rather, sustainable digital transformation requires organizations, including their boards, to focus on cybersecurity as a core capability.
One good way to move positively towards this is via a cybersecurity audit. Organizations keen to purchase cybersecurity insurance may be required to undergo such a process to secure cover. However, even without such an imperative, an audit is worth considering as a useful reality check. If security officers can persuade boards to get involved in such exercises, they will quickly acquire a better understanding of current strengths and weaknesses.
It is not the role of the board to develop an organization’s roadmap for bridging gaps and enhancing protection. Nevertheless, boards should be ready to hold leadership to account for the work they are doing in this area.
“The UK Government has just published data suggesting that 69% of large businesses have been attacked over the past 12 months. ”
Traditional approaches to cybersecurity have focused on prevention and protection – keeping attackers out of vital systems and repelling attacks as quickly and robustly as possible. Boards may lack the technical knowledge to interrogate CISOs in detail in these areas, but they can question them closely on overall strategy and what mitigatory measures there are in place for when an attack does succeed in getting through.
Increasingly, companies are coming to accept that, sooner or later, their defenses will be breached. Boards should ensure that, in such an eventuality, they know how their IT functions, and the company as a whole, will respond. How will such breaches be managed and communicated? What is the company’s crisis response plan, and who is responsible for implementing it? Are disaster-recovery and business-continuity plans sufficiently robust?
Many of these questions will be familiar to boards that have looked in detail at other types of risk. And, as in those areas, scenario-planning exercises and simulations with board involvement can prove invaluable. They will certainly prove more informative for board members than an occasional chat with the CISO.
It might be tempting to choose one board member to take complete responsibility for cybersecurity. Certainly, the implication of the new SEC regulation is that boards should bed in at least one cybersecurity expert. The danger of this approach, however, is that the rest of the board will feel they can relax and take their eyes off the ball.
A more practical solution may be for one or more directors to agree to take the lead on cybersecurity, ensuring that the business is keeping up with current requirements while keeping their fellow board members involved. The challenge is to avoid putting cybersecurity into a “technology box” – that is, recognizing that security and resilience aren’t simply questions of technical capability.
The onus is on the board to recognize that cybersecurity is an issue they cannot afford to ignore – and to communicate this to the organization.
Threat intelligence is a case in point. Most organizations will receive regular updates on the evolution of cybersecurity threats, including new forms of attack and newly identified sectoral vulnerabilities. While some of the technical detail may be lost on the board, the bigger picture – how cyberattack could play a role in provoking geopolitical instability or economic upheaval, for example – will be valuable in business terms. Here, the board should be in a much stronger position to engage.
Indeed, the focus should be on discussing cybersecurity in the context of the business’s operational activities and strategic imperatives. A board meeting agenda item that is focused on cybersecurity as a standalone issue is likely to gain relatively little traction with many directors and may rapidly become a box-ticking exercise.
Instead, boards should try to focus on cybersecurity in a contextual sense. To what extent has a new digital transformation initiative been planned with security by design incorporated? To what additional geopolitical risk does a move into a new market expose the business? Is cybersecurity part of the learning and development program planned for staff?
There is another challenge here for CISOs: to engage the board in the cybersecurity agenda will likely require them to adjust the language with which they communicate. CISOs who speak in technical jargon can expect to receive less attention than those who are able to communicate through the lens of commercial objectives and realities. The CISO who presents themselves as an enabler of secure business change, rather than a blocker of initiatives, is likely to receive a warmer reception.
Nevertheless, the onus is on the board to recognize that cybersecurity is an issue they cannot afford to ignore – and to communicate this to the organization. Whether or not regulation eventually forces them to take cybersecurity more seriously, there is every reason to move quickly. The risk of not doing so is that the organization is left exposed to vulnerabilities that could have been covered. Possibly even more damaging to the prosperity of the business, the opportunity to drive value could be missed.
Collaboration between humans and new forms of artificial intelligence (AI) are creating opportunities for considerable improvements in written communication. But to do so successfully, business executives must learn to strike a balance...
Teaching computer literacy to children in rural India means building cross-sector partnerships that create value for everyone involved. KidsWhoKode Founder and CEO Shweta Mukesh explains how she brings together diverse organizations to...
8 November 2023 • by Howard H. Yu in Innovation
Are you doing the right things to make your company future-ready? My research suggests you should be asking these four questions to find out. We studied companies that were more successful getting...
Li Shufu, CEO and founder of Chinese carmaker Geely, overcame a host of setbacks to become the billionaire owner of a multi-faceted business ...
Explore first person business intelligence from top minds curated for a global executive audience