When it comes to cyber resilience one thing is clear: companies are continuing to fail at gaining consistent and effective board-level engagement.
At the Chief Information Security Officer (CISO) Summit I attended in Geneva earlier this month – where about 100 CISOs and senior risk and security professionals gathered to discuss the challenges faced in cyber security – there were a number of cogent conclusions:
- Organizations find themselves at different levels of maturity. As one may expect this not only applies across sectors but also within the same sectors and therefore, in some examples, under the same regulatory environment.
- Many struggle to establish effective Board-level engagement.
- Changing user behaviours remains a challenge.
The problem is these are not new challenges and it’s disappointing that we still haven’t managed to address them. We live in a time when it has never been more vital for businesses to establish and maintain cyber resilience across the organization; but to achieve this, board-level engagement and buy-in to the problem is absolutely vital.
AXELOS’ Cyber Resilience Executive Action Team (CREATe) member, Ian Davies, who holds a number of Non-Executive Director (NED) positions across industry, spoke at the conference about how to improve communication with the board. Ultimately he advised companies and organizations to communicate in a clear and consistent way that is easily consumed by the audience or reader. This, unfortunately, is something many organizations fail to do.
In my AXELOS discussion paper on what many perceive to be the “information gap” between the board and the information security profession, I explained the need for clear communication and, importantly, the need for NEDs to to test and probe some of the detail of what they are being told or recommended to do by cyber security and IT teams. This may require some professional development, which is something we at AXELOS and our partners are working towards. But is it enough?
Many organizations that have been victims of a cyber-attack were shocked to be a target at all, believing they were too small or didn’t have information worth stealing. Such attitudes illustrate a lack of awareness of the problem at a senior level and the inability of security professionals to convey it in a way the board can understand.
In an interview with Forbes Magazine, cybersecurity expert and former Principal Deputy Director, National Counterterrorism Center and Assistant Director for Intelligence, FBI, Kevin R. Brock, said: “Many cybersecurity experts now insist that any strategy to protect a company’s most valuable data and processes, no matter the industry, can no longer be delegated solely to the security or IT departments. The strategy must be driven from the highest levels of the firm and include boards of directors.”
Clearly cyber awareness is needed at all levels; we all have a role to play in establishing and maintaining cyber resilience and board-level engagement is key but, depending on the audience, the messages need to be tailored.
AXELOS is aiming to make this easier for organizations to manage with a series of products targeting senior executives as part of the soon-to-be-released Cyber Resilience portfolio. To illustrate how cyber-attacks can affect an organization, we have published "Whaling for Beginners", which tells the fictional story of CEO Jim Baines and his journey through the aftermath of a cyber-attack on his packaging company as he feels guilt, embarrassment and concern for those he employs.
Further to this, we’re developing board room simulations, which are designed to highlight the risk and impact of cyber-attack and truly explain the extent of the problem to those at the top.
This is about improving knowledge, understanding and engagement with the board so that training and security can be established through an entire organization.
Download "Whaling for Beginners".
More AXELOS Blog posts from Mark Logsdon
The War on Cyber: Protecting Ourselves Against Weaponization
Have you heard the one about the three judges...? A Cyber story to be aware of
The perils of cyber-attack – and the new solution
Preventing cyber attacks - it's a people thing as much as IT