2024 Cybersecurity: A Strategic Priority - Time for the Board to Step Up

Cyber threats are on the rise. Hardly a week goes by without headlines of another significant data breach or cyberattack impacting millions of people. I've talked before that as our dependence on technology increases, so does the risk that it will be compromised or weaponised for malicious purposes. This stark reality demands a fundamental shift in how organisations approach cybersecurity in 2024 and beyond.

"In 2024, cybersecurity is a strategic priority that can no longer be siloed in the IT department. Gartner has predicted that by 2026, 70 percent of boards will include at least one member with expertise in the field. This enables organizations to move beyond reactive defense, meaning that they can act on new business opportunities that come with being prepared" Forbes: The 10 Biggest Cyber Security Trends In 2024 Everyone Must Be Ready For Now

?

No Longer Just an IT Problem

For too long, cybersecurity has been viewed as solely the responsibility of the IT department. Cyber threats are increasing daily, and headlines of significant data breaches or cyberattacks impacting millions of people have become routine. As technology dependency increases, the risk of cyber threats increases, leading to a fundamental shift in how organisations should approach cybersecurity in 2024 and beyond.

Despite a recent increase in Cybersecurity spending and an increase in the application of technical controls and management systems organisations continue to fall behind. Growing sophistication of cybercriminals alone, more vulnerabilities in software being discovered and an increase in supply chain attacks and ransomware has meant organisations are forever playing catch-up.

Organisations must realise that in many ways, cybersecurity has now become a core business function affecting every person and process within modern companies. It can enable business opportunities through technologies like cloud computing and mobile access, posing tremendous risks if managed promptly. With hackers setting their targets on the largest and most integral systems, data breaches’ financial and reputational damages continue to rise exponentially.

Cybersecurity must become more proactive, collaborative, and integrated throughout the organisation. Cyber risk is now enterprise risk and needs strategic leadership and guidance.?Cybersecurity must turn the corner to become a core business function affecting every individual and process. It must enable business opportunities and growth.

In a recent article from Forbes, it was highlighted that Gartner has predicted that 70% of boards will have at least one member equipped to oversee cybersecurity strategy by 2026. Appointing board members proficient in cyber risk management demonstrations that cybersecurity is a priority, needing oversight and accountability from the organisation’s highest levels.?

Organisations must foster a culture where cybersecurity is woven into decisions company wide. Today’s distributed and mobile environments require that every employee, not just IT staff, play their part. Cross-functional collaboration between departments will help educate leaders on threats relevant to their domains and ways to combat them.

Leadership must stay nimble and open-minded to adapt policies and controls to address new challenges. What protected systems yesterday may not do so tomorrow. For 2024, the expanded scope must include cloud, supply chain, and where appropriate, industrial control security (an often-neglected area). Far too many breaches have occurred despite the presence of advanced firewalls, intrusion detection systems, and anti-malware software.?

Board Oversight Critical by 2026

Recognising this changing landscape, boards must be equipped to oversee cybersecurity strategy by 2026, and this means having specific expertise serving on the board. This mirrors precedents set in other business domains requiring advanced and specialised ability at the governance level, such as legal counsel and certified financial officers.?

Appointing board members proficient in cybersecurity and cyber risk management shows that cybersecurity it is now a real priority, needing oversight and accountability from the very top levels of the organisation. Responsibility can only be delegated down within the organisation with strategic direction and visibility from those governing the company. The buck has to stop somewhere when a major breach occurs!

?

Embedding at the Leadership Level

In addition to competent board guidance, organisations must foster a culture where cybersecurity is woven into decisions company wide. Today’s distributed and mobile environments require that every employee, not just IT staff, play a part. And when weaknesses are inevitable due to fast-paced technology innovation, unified leadership is crucial for rapid response.??

Many forward-thinking organisations now have Chief Information Security Officers (CISOs) who regularly engage with top executives and external leaders. These officers not only bring technical ability to predict cyber criminals’ latest methods but also the communication skills to translate cyber risk into relatable business impacts.

A CISO might report directly to the Chief Information Officer (CIO), Chief Operating Officer (COO) or Chief Risk Officer (CRO). However, they are empowered to work cross-functionally across departments, educating leaders on threats relevant to their domains and ways to combat them. This enterprise-wide strategy promotes cohesion and breaks down barriers that could blindside those not directly working with IT systems daily.

?

Expanding Scope

Of course, cybersecurity is still a quickly evolving domain, with new threats appearing constantly. Leadership must stay nimble and open-minded to adapt policies and controls to address these challenges. What protected systems yesterday may not do so tomorrow.

For 2024, expanded scope must include:

Cloud Security:?As the adoption of cloud-based services like Microsoft Azure, Amazon Web Services, and Google Cloud continues to accelerate, sensitive company data is shifting to these environments, needing diligent oversight of third-party security policies. Multi-factor authentication, encryption in transit and at rest, careful access controls, network segmentation, and robust logging capabilities are all paramount.

Supply Chain Security:?With just one insecure supplier granting access to networks hosting critical business data, the attack surface expands exponentially. Growing regulatory pressure now holds buyers accountable for rigorously assessing vendor risk via questionnaires and contractual provisions allowing customer audits. However, small companies may resist due to associated overhead costs, requiring help or incentives to take part.

Industrial Control Security:?Using embedded computing to watch and control hardware from manufacturing equipment to utility systems, industrial controls often connect to more extensive IT networks for performance data aggregation and remote adjustment. While providing operational efficiencies, vulnerable legacy components never intended for internet connectivity get exposed and exploited if not properly shielded.??

Executive Education:?Despite elevated organisational standing and growing budgets, many CISOs cite a continual need to inform leadership on essential security concepts like zero-trust architecture, data minimisation and basic cyber hygiene practices of patching and passwords. Business software, personal devices, and a remote workplace full of distractions make such fundamental training an ongoing imperative.??

?

The Evolving Role of CISOs

Being a CISO is difficult. With scrutiny intensifying both internally and externally after incidents, the CISO role continues expanding in scope. No longer is success defined solely by preventing outright security disasters. Proactively enabling business goals through technology now requires just as much attention, even amidst chaos. Core responsibilities must include:

Risk Management:?Working cross-functionally with legal, compliance and business unit leaders, information security teams need clarity on which data assets and systems pose the most significant jeopardy if compromised. This allows calibrated defences to match proportional risk levels ranging from employee laptops to databases with customer data and intellectual property.?

Audit Support:?During due diligence associated with mergers, acquisitions, or more extensive partnerships, assessing current cybersecurity postures on both sides is imperative. Historical gaps uncovered in policies, resources or skill sets lay the groundwork for strengthening the new combined entity during integration. Regulatory examinations also lean heavily on information security teams for artefacts proving diligence.

Incident Response:?Despite best efforts to prevent attacks, leakages or outright data theft will still periodically occur. Well-structured and rehearsed incident response plans are thus critical for rapidly containing damages while meeting notification obligations. The goal is restoring business operations as swiftly as possible while applying lessons learned to enhance defences.

Insurance Guidance:?Specialised cyber insurance policies help offset some financial risks after incidents but come with a spectrum of specific policy provisions that information security teams need to guide. Minimum controls around multi-factor authentication, endpoint detection, and encryption may be needed initially. Prompt breach notification and reliance on pre-approved forensic firms are mandated post-event to qualify for payouts. Keeping policies up to date as coverage evolves is critical.? ?

?

How Boards Can Get from Now to Competent Cyber Governance

Gartner has predicted that 70% of boards will have dedicated cybersecurity expertise among their directors by 2026. Yet, many boards need more skills and processes to provide credible oversight of this strategic priority.

Transitioning from the old ways to the new is crucial yet challenging. Multiple phases of education, assessment and policy updates lie ahead. Here is a roadmap for navigating this journey successfully:

Phase 1: Raise Basic Cyber Literacy

Cyber threats are increasing daily, and every day, there is news of another significant data breach or cyberattack that has affected millions of people. As we become more dependent on technology, the risk of being compromised also increases.

This harsh reality demands a fundamental shift in how organisations approach cybersecurity in 2024. Cybersecurity must be a strategic function and cannot be siloed. Cyber risk is enterprise risk, full stop. Cybersecurity must become a core business function that affects every person and process. It can enable business opportunities and address tremendous organisational risk if managed correctly. When managed incorrectly, data breaches', financial and reputational damages will continue to rise exponentially.

Boards need foundational knowledge of key cybersecurity concepts relevant to governance-level decisions. All board members should be provided fundamental training to raise the cyber literacy across the leadership team. Several educational courses are now available to help with this including the Cyber Leadership Institutes who offer the Cyber Resilience for Business Leaders foundation course and the more comprehensive Cyber Strategy and Transformation Program for business leaders.

Any Cyber education should answer questions like:

• What are our data and system assets at greatest compromise risk?
• What regulations and standards apply to cybersecurity?
• Where do insider negligence and third parties are exposure beyond external hackers?
• How could various incidents like ransomware or leaks tangibly affect operations and market reputation?

Group presentations from the Chief Information Security Officer (CISO) or outside consultants during board meetings can offer an interactive starting point.

Phase 2: Formalise Risk Reporting

Once fundamental concepts are understood, boards need continual visibility into pivotal security metrics and events reflective of their actual risk exposure. This operational awareness is often lacking or presented only through skewed metrics like misleading “uptime” percentages.

Formally integrating cybersecurity into enterprise risk management updates is essential. Qualitative information from the CISO on emerging threats combines with quantitative key risk indicators (KRIs) on items like patch lag, multi-factor usage percentages and incidence response times. Dashboards should align with business impact analysis and data classifications. Trends should cover employee training completion, supply chain assessments and security budget comparisons.

To encourage transparency on the latent vulnerabilities it is important to estimate reasonable worst-case loss estimates to foster open discussions. Updates should encompass the top external threats along with plans to implement controls to combat threats.

By contextualising risk exposure, informed decisions can guide cybersecurity investments proportional to organisational tolerance levels. This helps cost-benefit tradeoffs.

Phase 3: Recruit a Director with Relevant Expertise

Even with increased Cyber literacy across all board members, the board needs more indepth knowledge and expertise to judge security posture adequacy amidst an evolving threat landscape. Recognising this constraint, the board should recruit at least one new member with specific Cyber qualifications.

Ideally, the new cybersecurity experts show substantial strategic management experience applying risk concepts across complex organisations. Public and private sector security leaders, enterprise CISOs, and equivalents like Chief Risk Officers (CROs) from technology firms would fit the bill. However, those clinging to dated check-the-box mentalities may do more harm than good.

Once appointed, fully leveraging this domain authority is paramount. Beyond advising on proposals, having an engaged board member shapes policy, standards, metrics, and planning. Independence and stature can crystallise strategic roadmaps where compromise impedes progress.

However, with resource constraints, boards may formally choose a current director as a “cyber proficient” member based on familiarity. Simple milestone outputs help offset this partial solution. Reassessing competence adequacy as threat awareness expands is still key until dedicated expertise is secured.

Phase 4: Committee Designation

The final phase cements cybersecurity through explicit committee accountability, charters, and reporting obligations. While risk and technology committees traditionally maintained related oversight areas, scope creep often diluted focus. Unable to cover squeezed-in security reviews, critical diligence can fall between the cracks.

Elevating cyber into dedicated board committees will help clarify where the buck stops. Cross-membership with risk and technology groups will foster alignment. But directly tasking a team avoids diffusion. Unsurprisingly, boards now have stand-alone cyber committees.

Their charters guide strategic planning and resource allocation while ensuring policy compliance, control assessments, and crisis simulation. Regular one-on-one sessions between committee leadership and CISOs build pivotal partnerships detached from operations. Architectural directives become actionable rather than simply reassuring and action is what we need.

Getting Board Cyber Governance Right

Like any journey, missteps will occur as boards transform cybersecurity into a top-tier priority with enabling oversight. For example, early dependence on awareness briefings without context can raise undue confidence levels. However, structured progression centred on risk management and expert guidance can put organisations on the pathway toward cyber resilience.

Final Thoughts?

Gartner’s prediction reflects the growing strategic importance of cyber risks and threats. However, most boards have a long journey to develop competent governance in this crucial area, which must change every aspect of the enterprise.

Transitioning from the old to the new will take time and effort. Raising foundational understanding for all board members is the first step. Formalising reporting and recruiting a competent and certified expert along with setting up focused committees and key deliverables that boards should target takes time, and it is important boards begin now.

The risks of inaction are now impossible to ignore as major breaches continue to inflict substantial financial and reputational damages daily. By embracing cybersecurity as an enterprise-wide strategic priority with oversight from the very top, boards can help their organisations progress beyond reactive tactics. The blueprint now exists to enable resilience and opportunity instead. Leaders must seize Gartner’s insights to shape a governance model that benefits their futures. There is no time wasted in beginning this important work.