What does cyber resilience mean to company directors and why should they care?
The recent, high-profile incident involving Sony Pictures’ IT systems being hacked provides a comprehensive answer in itself.
A company the size and sophistication of Sony should be able to defend its commercially sensitive information. However, The Guardian reported a Federal Bureau of Investigation (FBI) viewpoint that even a government would have struggled to defend this attack. The loss of an unpublished James Bond script along with embarrassing details of internal communications and film star salaries, has led to commentators describing the incident as a “PR car crash”.
Even before this latest cyber breach, many boards have been reluctant to understand the full business impact of cyber-attack, in my view seeing it as too unlikely to worry about. The Sony Pictures episode should serve as a catalyst for board directors to re-think their stance on cyber resilience.
Who owns cyber resilience in an organization?
Commitment to cyber resilience in organizations varies by company, both private and public, but in many organizations it is undeniably lacking in focus right now.
Leadership on this issue needs to come from the board; indeed, the CEO needs to be the most instrumental, not simply delegating total responsibility to the Chief Information Security Officer (CISO) or IT department. Collectively, the board has to understand sufficiently any proposals the CISO might suggest and weigh them up alongside plans to combat other corporate risks or in exploiting new opportunities for innovation and growth.
Discussions about cyber resilience in organizations are not particularly systematic at present; the topic is not a regular, board-level item, it is a topic which tends to gain prominence only after a crisis. That said, the UK government deserves particular credit for publishing a non-executive directors’ guide - Cyber Security: balancing risk and reward with confidence. Whilst greater awareness is good, more decisive and timely action is required.
AXELOS’ launch of its cyber resilience best practice guidance in Q2 2015 will offer something tangible to address the problem; an approach that will help organizations provide a safer environment in which to do business. It will help boards to understand that cyber risk is much more than a governance or compliance issue.
What do current approaches to cyber security look like?
Corporate approaches to cyber resilience are now, at best, inconsistent. Companies are at different stages in their understanding of, and response to, cyber resilience and in allocating the budget necessary to make a serious investment in risk prevention.
Among boardroom agendas, I haven’t seen cyber resilience as a regular, standing item; it’s rather something that comes up two to three times per year. At the very least the board needs to be discussing it every two months until all preventative measures are in place.
Equally, there’s insufficient understanding of the potential impact of a cyber-attack. This can be borne out of a combination of ignorance and fear of the unknown. The problem can be addressed by showing board directors what they don’t know and then building up their confidence in the subject by getting them up to speed with the issues. With dedicated input, it shouldn’t be beyond the capacity of the board to grasp the topic, especially when framed in a way that’s relevant to an organization.
What are some effective cyber resilience approaches for directors?
Get the CISO or IT manager to present to the board in layman’s terms about what keeps them awake at night and what the probable responses should be.
Identify the cyber risks - from the remote to the highly probable - using language that the audience understands and is consistent throughout.
Boards should share knowledge; talk to each other in business terms about what cyber assets they must protect. Each board needs to have the relevant knowledge in the first place: according to the 2014 Information Security Breaches Survey from PWC, 23% of businesses hadn’t briefed their board on security risks.
Follow the Ten Steps to Cyber Security document: doing the simplest 20% of what’s suggested - such as creating strong passwords that are changed often - will eliminate 80% of the potential risks from occurring. In short, we need to make ourselves a harder, less attractive target to those who seek to harm us.
Boards should be aware that their own staff pose a significant cyber risk and take sensible, pragmatic steps to mitigate this significant risk: PWC’s report revealed that 58% of large organizations suffered staff-related breaches. Such problems occurred in 70% of companies where security policy was poorly understood.
AXELOS and the future of cyber resilience best practice
AXELOS’ approach to best practice guidance for cyber resilience will focus on people. That’s an approach that lasts through the whole lifecycle of individuals being employed with an organization.
And an important element about raising awareness further will be through the medium of storytelling: for example, a CEO’s suspicions about something cyber-related turning into a response. But as well as the factual, it needs to introduce the emotional dimension of cyber-attack and its very real human impact.
For company directors with responsibility for cyber resilience, any security compromise can have an impact on their professional reputation. For non-executive directors in particular - who exercise less control over the company’s response to a crisis - being associated with a disaster might mean they don’t get offered another role.