CYBER SECURITY GOVERNANCE AND THE ROLE OF THE DIRECTORS.

If you sit on a Company or Organization’s Board you need to embrace the Cyber Security Train, or you could get left behind at the Station. Until you accept that, in the world we now live in, the truism that “Cyber Risk is Business Risk” is here to stay, you will never be able to deal with the whole of business tectonic shift in thinking that is essential to survive Cyber Risk in the coming decade.               

 The digital landscape is moving at lightning speed as Cyber Crime hits epidemic proportions. As 2018 draws to a close, its estimated that the International cost of Cyber Crime worldwide has hit US$1.4 Trillion this year and by 2021 it will rise to US$ 6 Trillion.

Why is this happening? Its simple. Cyber Crime is a great business model for Criminals to exploit. Its less expensive to perpetrate, easier to organize, has no regard and is not restricted by national boarders; is oftentimes supported by nation states and is relatively difficult to prosecute compared to other forms of international criminal activity.

 If you ask anyone involved in Cyber Crime prevention at a high level they will tell you that they are continually playing catchup – every new day brings a new and more sophisticated threat.

 If you sit on a Board you first need to accept that one day, your company or organization is going to be breached. It’s just a fact of life in the same way that most people accept that one day they will have a car accident. Car accidents are a by-product of driving on the road just as cyber breaches in today’s world are a by-product of being dependent on the Internet.  

 So, how can you manage the increasingly volatile and fast paced changes required in businesses worldwide as we move towards a fully digital world?

 The key strategies here are ‘minimization’ and ‘resilience’.

 It goes without saying that you need to have current Good Business Practices in relation to your Cyber Assets in place to try and prevent breaches from occurring,  but just as importantly you need to have a robust plan in place for when they occur.

 This ‘plan’ needs to start at the Board level and filter through every level of the company. As a Company Director, in most jurisdictions around the world, it is negligent from a regulatory and legal perspective to delegate the responsibility for protecting the information assets of a company onto the shoulders of the CEO alone.  Everyone in the organization must be in lock step behind the need for a robust Cyber Security posture. 

 In larger Companies over the past 2 – 4 years we have seen the ‘scalps’ of a number of CEO’s taken for having poor Cyber Security Practices in the companies they manage, and Board members have had to fall on their swords as a result. Directors have been sued by shareholders for not exercising ‘Due Care’ and ‘Due Diligence’ in safeguarding the assets and information of the company and this ‘blame game’ is only going to escalate.

 Most Experts believe that the Cyber Security Governance of companies will become as important to shareholder investors as PE ratios and there is no question that Financial Institutions and Insurance Companies are looking more closely at company’s cyber risk posture which will be reflected also in business enterprise values moving forward.

 It is clear that many Boards do not have a Cyber Security Expert sitting on the Board who is up with the play in relation to Cyber Trends worldwide – the big picture overview rather than the detailed Technical/Operational side of Cyber Security.  

 In reality, though not the only responsibility under law, Board members are focused on providing increasing shareholder value (profit/dividends) than anything else. Consequentially, when the CEO comes knocking looking for funding to minimize the Operational, Legal and Reputational risks to the organization it is seen by some Board Members who have not had exposure to managing cyber risk in the information age as overkill and a waste of resources.

 CEO’s and their Cyber Security advisers (either in house or external) need a Champion in their corner that thoroughly understands the ‘big picture’ when they present initiatives on risk mitigation and cyber resilience to the Board.  

 Prudent Board Chair’s, as a first step to Cyber Security Governance should consider the appointment of an Independent Non-Executive Director (NED) who has particular expertise in Cyber Security matters to provide oversight and advice as part of the Board framework.

 This Independent NED could oversea the development of a robust Cyber Security Risk Management Plan in consultation with the Board and CEO that would include:

• An Enterprise Information Security Policy – To provide clear objectives for achieving a clear alignment with information strategies.
•  Cyber Security Culture – To provide clear objectives for the alignment of risk management policies to all organizational activities.
•  Budgeting and Resource Allocation – Provide direction for the allocation of  information security resources.
• Metrics and Measurable Standards – Set Standards for reporting on the effectiveness of security strategies.
•  Return on Mitigation – Provide Clear Standards for reporting on the costs of security  Initiatives and the value of information systems protected by security initiatives.

 Organizational leaders, particularly Board members need to play a crucial role in setting an example for their employees and stakeholders of quality Cyber Security Governance.