Three questions and a reality check around the role of the Board with Cybersecurity
It is time to challenge a number of outdated matters framing cybersecurity governance
?
This interesting piece from McKinsey confirms a number of trends and tendencies in the cybersecurity industry that have been concerning me for years and appear to be persisting (“A board-level view of cyber resilience ”, August 27 2024; Sean Brown / Vinnie Liu / Justin Greis / Daniel Wallance).
The interview is well structured and there are many points on which we concur: Building up cybersecurity as a “competitive differentiator”, the importance of operating models, the difficulties with benchmarking etc…
But when it comes to the role of the Board around cybersecurity oversight, in my opinion, there are three key points to discuss and challenge in the article.
?
Cyber resilience: What does it really mean?
The first thing that surprised me, throughout the article, is that the term “cyber resilience” (prominent in the title) is only used twice in the 8 pages of the transcript, while, in comparison, “cybersecurity” appears 47 times.
To me, this is exactly in line with what I have been highlighting in earlier articles : What we are witnessing with the emergence of the “cyber resilience” concept in media speak, is just similar to what we witnessed 10 or 15 years ago when the term “cybersecurity” became prominent (in replacement of earlier wordings such as “information security”, “IT security” or “infosec”).
This is just technologists and their consultants trying to stay relevant, sound different or more “clever”, and make themselves heard in a context that has become crowded and noisy.
In the case of this McKinsey article, the use of “cyber resilience” is not even consultant jargon; it’s just (literally) window-dressing …
?
Is a risk-based approach to cybersecurity still relevant and meaningful at Board-level?
To me, the concepts of “risk tolerance” or “risk appetite” are in frontal collision , at Board level, with the “when-not-if” paradigm around cyber-attacks.
“Risk”, ultimately, is about “the effect of uncertainty on objectives” (ISO 31000).
If the Board accepts the inevitability of a breach (“when-not-if”), it effectively takes cybersecurity matters out the realm of risk.
Coupled with the escalating nature of the possible impact of cyber breaches and the associated regulatory pressure, the Board has the duty to hold the executives accountable for protecting the firm, its brand, its reputation, its business, its employees and its customers, from those threats.
Expecting the Board to remain locked in risk acceptance discussions and arbitration between costs, risk appetite and regulatory compliance, is simply replicating the logic that was prevailing during the first decade of the century, as we have clearly shown in 2019 with the Security Transformation Research Foundation .
领英推荐
It is a dangerous approach, that is simply outdated by about 15 years…
?
Can cybersecurity problems be reduced to a mere matter of under-investment in the face of escalating cyber threats?
To me, the ideas that cybersecurity maturity remains low because of chronic underinvestment in that space and that “companies are struggling to invest at pace” with changing and rising threats, are simply too simplistic, and are avoiding the difficult questions.
It is not under-investment in my opinion that is the root cause of cybersecurity maturity stagnation in many firms over the past two decades, but execution failure due to the cross-silo nature of many cybersecurity issues coming in conflict with corporate governance dysfunction, internal politics and in-bred business short-termism.
And in turn, it is historic execution failure in that space that breeds reluctance to invest from top executives, who have seen one CISO after another asking for multi-million “transformative” budgets before resigning after a few years, leaving everything half done and blaming “the business” in the process.
This is one of the main engines of the “spiral of failure ” around cybersecurity, which is the theme of my second book, released in early 2024.
Cybersecurity good practices have been structuring themselves for close to 30 years: Knowing what to do around cybersecurity is reasonably well-established and the “basics” – properly applied in layers across the depth and breadth of the enterprise – continue to provide an acceptable level of protection from cyber threats in most firms, and an acceptable level of compliance with most regulations.
Cybersecurity transformation needs to be focused on the “How ” of change, and to some extent on the “Who”, and not merely on the “What” (or how much it may cost).
Sound operating and governance models are key, and should come first, and they should drive investments in line with operational objectives, not risk appetite.
Cybersecurity transformation cannot work any other way and it is becoming a plain matter of good leadership for the Board…
Click here to join our newsletter for more Cyber Security Leadership insight.
Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.
Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges