The governance of cyber

I was privileged to be the facilitator for a round table of some 20 experts - from the worlds of risk, insurance, governance, information and security, law, finance, communications, talent and compliance - to discuss the very specific, and very important issue of cyber governance. Not cyber risk, but cyber governance - how does the board and senior management team achieve effective oversight of cyber?

The round table was organised by the UK Association of Insurance and Risk Managers in Industry and Commerce - better known as Airmic, the association for 'everyone who has a responsibility for risk management and insurance for their organisation.' Members include board secretaries, finance directors, and internal auditors, as well as risk and insurance managers.

It's worth saying that the round table conversation revolved around the concept of cyber risk. Bearing in mind that the etymology of the word risk allows for an interpretation which encompasses 'opportunity' as well as 'danger', the round table was concerned to find that balance. Exploiting the significant upside means recognising the opportunities involved in living in a digital and networked world, based on data, where business models are predicated on transformation and disruption.

The downside takes two forms. The business model which fails to adapt, and becomes a 'victim' of value destruction.

And, for all companies - victorious and vanquished - the risk of cyber attack and manipulation.

Airmic have produced a White Paper capturing the conclusions of the round table. You can find it here

It's a great read, and I recommend you take the time to go through it and reflect on the contents.

For me, some of the stand-out comments are as follows

• The essential driver underpinning considerations of cyber risk governance should be business value
• Cyber is not just a risk, a threat that needs to be controlled, but also an enormous opportunity. Data is, for many companies, their biggest asset. While data protection right now is at the centre of the conversation, it’s important to link data with the value drivers which make it the basis of business opportunity
• The chairman has a responsibility to avoid giving all the responsibility for cyber to the director on the board who is an IT expert, but instead ensure that, collectively, directors can develop the necessary knowledge and expertise for a whole team discussion on the subject
• If board members cannot ask the right questions, it diminishes their ability to work collectively to provide oversight and direction and create the right culture
• Providing expert knowledge to the board needs to be done in a language that makes sense to all directors

For me, the key take away is that we 'ain't seen nothing yet' in terms of the levels of disruption which are due to affect us in the shape of artificial intelligence (AI), machine learning (ML), the internet of things (IoT), and the manipulation and leverage of 'big data' - in other words, cyber.

Companies may discover whether they are winners or losers more quickly than any of them, or us, realise.