Helping the Board and the Business understand Cyber Risk
Each month seems to bring us a new report showing that business needs to be doing more on the threats to their IT and daily there are media reports of companies systems being breached by hackers, of data being lost and increasingly sophisticated criminal activity.
The Internet has become ever more part of our business processes around the world bringing new dimensions of communication, information sharing and performance.
Our companies IT systems are critical, not just to business performance, but to organisational survival.
While the upside of all this connected Technology is clear to most of us there is a serious problem with how our decision makers are balancing the returns against the risks.
While the capabilities and benefits have raced ahead, and companies big and small have integrated new systems and technology into the heart of their operations, the risks to organisations from these new dependencies have grown too.
A big part of the issue is that Cyber and IT security is often not seen as a strategic risk issue and its left almost exclusively to IT to manage with the consequences being that cyber and IT risk not attract sufficient senior management focus until its too late.
Our research shows that while most IT Teams are responsible for the integrity of their systems the Board and senior managers often misinterpret the capabilities they actually have in practice. This is due to either a lack of knowledge that results in difficulties in understanding technical information, but also a lack of awareness or focus on the issues. As a result capabilities are directly and negatively affected and the opportunity to reduce or eliminate the risk lost.
When cyber security professionals get together and talk through the challenges they face its clear that these folks know what to do in the vast majority of cases to significantly mitigate threats and reduce the risk. So whats stopping them them doing more? Well many will cite the commitment more generally from the business to actually listening and acting consistently to adopt the measures that the professionals know is needed.
Time and again reports highlight the importance of business to act, but with even the high levels of awareness on the issues we currently see there are real problems in translating this knowledge into real action and capability. From our discussions with those in the frontline of IT and Cyber Security a big part of the issue stems from a lack of understanding at the top of the organisation, as well as resource and more general support issues.
Now that may be true, but there is another perspective that needs to be considered, one that requires professionals to think a little differently.
Discussions as potentially complex as those that abound on ICT and cyber security can be difficult for those less technical to access and but this tends to be the way that the issues are defined and discussed … in technical terms.
For the technical folks this is fine, but this is not in the interests of the business or organisation when you’re looking at managing the bigger strategic and operational pictures.
To get real ‘buy in’, and consequently progress, we need to have a business focussed dialogue with the board to inform and position Cyber and ICT risks in a context that properly and clearly quantifies and illustrates what is at stake. We’ve also got to be far more candid and get past the tendency to report only the good news, things like 99.99% uptime, the money saved through better processes or the customers gained from new internet initiatives and report on the downside risks that aren’t being shared quite as transparently as they might be.
Acting on this requires not only more detailed understanding and perspective on the wider aspects of risks, but being able to qualify and quantify the market effect of the various vulnerabilities that exist. Depending on the organisation you may find that some or all of the skills needed to do already exist in the Risk Management or Finance teams and getting them involved can be very beneficial when it comes to creating a change of culture.
A stated above this is a strategic issue and we should seek to look to solve the issues faced not only through technical means, but by levering all the tools available to the business to achieve better performance for all the stakeholders. Understanding the value of your brand, the contractual implications and revenue impact that may arise from disruptions and the potential liability that might exist for any cyber or information security failure all adds power and proportionality to the business case.
Remember your systems, information and processes are vital strategic business assets and this should be justified through analysis that connects the aims and values of the business to the field and not lost in a sea of ‘tech jargon’.
The ICAEW recently provided some special guidance on cyber risk to the Corporate Finance sector that illustrates the point being made very well. In this guide the issues are laid out in simple commercial terms, along with the various steps needed to help the company to address its cyber risks. Critically, it includes the questions that the executive really should be asking of their IT and support teams that are integral to the cyber security process.
A key point made was that Boards and senior management have to be far more aware of what is being done in the organisation to protect data and processes and can’t take it for granted anymore that all is well. Any failure can quickly jump departmental divides and land the business in trouble with clients, investors regulators and the media all asking tough questions about why more wasn’t done.
In the same vein we’d like to outline a few questions your board should be asking of your organisation and those you deal with that will point to just how secure and cyber prepared you are?
Here are a dozen questions that we think should help you gauge where you are today and that may point to what you need to start doing tomorrow.
Is Information Security and Cyber Risk on the Boards Agenda regularly? Do the Board talk about it openly and honestly looking for evidence of progress?
How confident is the Board that the information assets are being managed properly and are safe from cyber threats.
Does the Board regularly review and identify key information assets and thoroughly assess information on their businesses vulnerability to attack, including the wider impact on the company interests of possible disruption and stolen or lost data? ?
Does the Board have regularly updated and thorough financial analysis of the business’s Information Security and Cyber Risks?
Is Information and Security Risk identified on the risk register?
Has the Board reviewed and understood the obligations and liabilities you have to other stakeholders for Information Security and Cyber Risk?
Does your organisation actively participate in the various government and industry programmes designed to inform on, and reduce Information Security and Cyber Risk?
Has responsibility for Information Security and Cyber Risk been allocated and aligned across the business appropriately?
Has the organisation provided training on Information and Security Risk for all staff appropriate for their role and responsibilities.
Do you have a written information security policy in place that is supported and updated through regular staff training?
Are your technical teams encouraged to honestly assess your capabilities though benchmarking and other testing and is this information is provided to the Executive?
Do you discuss and share information on key Information and Cyber activities and emerging threats with customers, partners and other stakeholders?
If you are able to answer yes to these then you are doing better than most… well done!
If you’ve not done quite so well then it should be clear that behind each of the questions shown above there is plenty of justification to get started now.
Remember though that you will probably have some of the key ingredients in place already. Look at how you can integrate and connect Information and Cyber Risk with existing Risk and Business Continuity programmes and don’t forget that Incident and Crisis Management plans will also need to be considered and factored into your preparations too.
The result though will be a far more secure and robust foundation for your business that will protect your organisations key information assets and provide the evidence to stakeholders that not only are you cyber prepared, but can be trusted with even more business.