When quantifying the scale of corporate cyber threat, the figures alone tell a sobering story.
As reported in The Economist's recent special report on cyber security, 800m data records were lost last year as a result of cyber-attack, despite estimated worldwide spending of £67bn on information security.
And while corporate threats such as industrial espionage and old-fashioned theft are nothing new, the digital dimension adds a fresh set of complications: not only the anonymity of malicious visitors to your computer systems but the industrial scale of the attacks they can mount - and it takes only one successful intrusion for your organization to suffer financial loss, stolen competitive advantage or reputation damage.
The type of harm it can do to a business makes cyber threat a high level risk and strategic concern for business leaders. Crucially, this is not necessarily about spending more money but about doing more.
But are business leaders doing enough? Recent research highlighted some concerning trends: in the UK Government's FTSE 350 Cyber Governance Health Check Tracker Report, issued in November 2013, 75% of executive directors had taken no cyber or information security training in the previous 12 months. It's a worrying finding.
At best, this suggests senior business leaders don't appreciate why understanding cyber resilience represents a strategic opportunity for them. At worst, it may reveal a state of denial among executives or a degree of resistance to the suggestion that they need greater awareness and training. Ironically, it's those at the top of organizations who are often targeted by cyber adversaries.
Another challenge in engaging the board and senior executives about cyber resilience is how the risks and opportunities are communicated and the language that's used. Like all of us, many senior security and IT decision makers will communicate in the way that they understand and feel comfortable with. Typically they will talk in terms of technologies and threats which can easily by-pass the attention of their board who will be more concerned about the potential business impact on reputation, competitive edge and growth. What's missing is a common, business-led vernacular to broaden the understanding and perception of cyber issues across an organization and which directly links cyber risks to business delivery and outcomes.
In addition, all too often the responsibility for cyber resilience is seen to sit with the head of IT. But cyber resilience is so much more than just technology. The stark reality is that no organization is safe from attack and no organization can ever be totally secure.
Every organization needs to define and accept an appropriate level of risk that suits their business; only the Board should be responsible for defining what their risk appetite is.
Even the best (and most expensive) technology can be undermined by either accidental or malicious actions of people; without the appropriate cyber awareness and effective enterprise-wide processes and collaboration an organization is always going to invite cyber security failure. It's an issue borne out of working in the digital age; the solution involves all of us - our behaviours, appropriate technology and processes.
Ultimately, the missing link can often be active senior leadership. Without that, it becomes virtually impossible to build a multi-disciplinary approach - with cross-functional teams rather than silos - that is needed for effective cyber resilience.
A recent McKinsey and Company article, "Why senior leaders are the front line against cyber-attacks" proposes a menu of actions that distinguish the best management actions in the face of cyber threat. But how readily are board members taking these actions?
In terms of "Actively engaging in strategic decision making" to develop cyber resilience, not all boards properly understand the material impacts that attacks can have on their business, rendering the issue a lower priority. People at the "top of the tree", though clearly very good at what they do, don't like to admit a lack of understanding. And without an emotional connection to the cyber threat topic it can lead to a "head in the sand" mentality. That said, emotion is not enough to drive the board's thinking; quantifying the Pound, Dollar, Euro or Yen cost to the business tends to focus boardroom minds and businesses are getting better at this calculation.
In relation to "Pushing changes in user behaviour", there needs to be greater collaboration between IT and HR/Learning and Development teams to create company-wide, cyber awareness campaigns and behaviour change. AXELOS's own cyber resilience product development is developing new tools that provide 'learning by doing' - including serious games and simulations - designed to embed the most critical knowledge and skills permanently into practice.
And though "Effective governance and reporting" might be "in place", there seems to be a lack of understanding among organizations about how to move from where they are to where they need to be with cyber resilience. This requires a clear picture of existing capabilities, identifying what's vital and developing actionable plans.
How are organizations best placed to get this process underway in earnest? In an age of ubiquitous storytelling, it could be the power of the storyteller that comes into play: linking real-life stories and scenarios to executives' strategic priorities that creates and builds the emotional engagement and open collaboration required to deal with what is often an unseen menace.
We'd be keen to get your views and ideas so please email [email protected].
Read more AXELOS Blog Posts from Nick Wilding
Did you know you were a whale?
21st century cyber awareness for a 21st century threat
A cyber resilience Q&A with Karoliina Ainge, head of Estonian cyber security policy - Part 2
A cyber resilience Q&A with Karoliina Ainge, head of Estonian cyber security policy - Part 1
Cyber Resilience: it’s all about behaviours - Digital Leaders Conference presentation
Cyber Resilience: it’s all about behaviour, not bits and bytes
Cyber Resilience: We need to TalkTalk
Cyber Resilience: developing a new language for all