When IT security and risk leaders make cyber security âbusiness relevantâ, the cyber-committed CEO and board of directors become âengaged, not just involvedâ. This point, which informs the principle message of Accentureâs briefing document The Cyber-Committed CEO and Board (2017) has resonated louder in recent years than when it was first published.
However, any organisationâs cyber-committed senior executives now have to ramp-up those levels of engagement if the organisations they lead are not to continually be weakened by a bifurcated vision of how business and security exigencies leverage each otherâs strengths.
In most European organisations the c-suite is accountable for the gamut of its decrees, and âplausible deniabilityâ (the ability to deny knowledge of or responsibility for any damnable actions committed by others in a hierarchy because of a lack of evidence that confirms their participation) is no longer an excuse. Boards directors and senior managers should include potential and evidential cyber threats and solutions in corporate governance debates, as they seek to understand and manage the business impacts incidents bring.
Chief officers also have to proactively educate themselves about the cyber security issues, and not sit back and wait to be briefed by IT security confreres at quarterly meetings. They are fortunate in that they now have more executive-friendly sources of security information at their disposal than they previously had.
âWhen a cyber attack hits, you are potentially faced with an existential crisis that youâve never faced before,â says a chairman quoted in the 2019 AON/FT review, Safeguarding Value in the Era of Cyber Risk. âYou cannot underestimate the human response to such an incident, a situation that will change constantly requires a great degree of flexibility in crisis-response plans. The board and executive are on such high alert that itâs difficult to stay within a rigid structure.â
Introduced in May 2018, the EUâs General Data Protection Regulation â GDPR â has also had an important effect on the improvement of c-suite awareness on cyber issues, according to another quotee in the AON/FT review: âGDPR has made companies really understand their [ICT] systems,â they said, âand [improved] their internal understanding of the impact of cyber threats⊠As a process, [GDPR] has [also] allowed the acceleration of knowledge at the c-suite level.â
C-suite involvement in cyber governance and defensive decision taking will not, perforce, result in a comparatively short-term improvement in a typical organisationâs cyber defensiveness. And while 79% of directors questioned last year (2019) by BDOâs annual Cyber Governance Survey claim they have avoided a data breach or incident in the past two years, public company boards are becoming more involved in cyber oversight; 72% of board-level respondents confirmed the board is more involved with cyber governance than they were in the 12 months prior to the time of the survey.
The Cyber Governance Survey also found that as boards become more involved in cyber security decisions (especially due to regulatory changes and reputational damage concerns), the âcadence of reporting on cyber security is increasingâ: 32% of senior execs polled report that they are briefed at least quarterly on cyber security, while 54% are briefed at least annually.
However, 9% of boards indicate they are still ânot being briefed on cyber security at allâ. During the initial four years BDO conducted the Cyber Governance Survey, the percentage of directors reporting no cyber security briefings dropped consistently, and during the 2018-2019 year, that number has âheld steadyâ.
The reasons why nearly 10% of c-suites/boards are not in scheduled communication with their IT security personnel are less clear, especially given the fact that the individuals involved now bear professional culpability for both regulatory compliance and legal liability in the event of a successful cyber attack against their organisations.
Itâs possible that some c-suites/boards feel too overstretched by other demands that they have marginalised their interest in cyber security, or do not regard it as a business reality priority. There is no doubt that assuming greater responsibility for cyber governance constitutes an additional imposition on their schedules.
Grant Thorntonâs Cyber Security: The Board Report (2019) points out that the impact of regular cycles of cyber attacks âplaces a huge burdenâ on the senior executive, especially those who will have designated roles in the business continuity and incident response plans. During serious incidents, typically the CFO, the CIO and CLO/General Counsel commit 100% of their time until the crisis is resolved, and the CEO around 50% of their time. Vital response activity may last for weeks, and cause chief officers to have to postpone important appointments and other work.
EXECUTIVE CYBER RESPONSIBILITY IS EXTRA BURDEN
âThe knock-on impact is considerable,â Cyber Security: The Board Report points out. âDecisions are delayed, and plans are put on hold as senior leadersâ attention is diverted away from their day jobs. The effect spreads across the organisation: employees lose confidence in the leadership team and pride in the organisationâ. In its commentary, Grant Thornton recommends that enterprise cyber security be made the responsibility of a specific board member in order to âstop cyber risk management slipping through the netâ.
Its research indicates that organisations which appoint a specific board/c-suite member to this role âsuffer lower average losses in the event of successful attackâ than those that do not do so. In Grant Thorntonâs client experience, organisations most frequently choose the CIO or CTO to fulfil the role (as the IT security lead, the CISO is likely to be committed to the front-line remedial activity). Yet, in its view, it is worth considering a different board member, one without any particular technology specialism.
âThe CFO (Chief Financial Officer) would be a good choice,â Cyber Security: The Board Report states. This is because âin most mid-market companies, it is the CFO who is typically responsible for the risk. Making cyber security their responsibility underlines the fact that cyber risk is a business risk, like any other, that needs to be managedâ.
A further advantage, Cyber Security: The Board Report says, is that in business, there is often a natural tension between operational targets and cyber security targets: âShould the priority be to minimise interruption to operational systems (and therefore limit or delay software updates)? Or should maximum security be the priority, even if frequent updating means users cannot access business systems for hours or sometimes days?â
A board member who is neither the COO or CIO has the benefit of a degree of distance on the debate and is perhaps positioned to find a better balance, Cyber Security: The Board Report observes. The UC Berkeleyâs Center for Long-Term Cybersecurity (CLTC)âs study Considerations for Effective Oversight of Cyber Risk (2019) is one of the first to focus on questions around how should boards of directors oversee cyber security risk for large global organisations.
The study found there is no single governance âplaybookâ for cyber that can be applied across sectors and risk profiles. It determined that cyber security risk requires âa different, more dynamic governance model than is common among boards for handling other risksâ, a mindset the study defines as âresilient governanceâ.
Boards feel a âdeep sense of urgency to exercise a central role in improving cyber security postures and outcomesâ for their organisations, the study reports. This attitude is appropriate, because by most common measures cyber security problems are âmorphing and mounting in importance faster than they are being solved or managedâ, the study adds.
The CLTC and Booz Allen Hamilton study also found that there are in fact significant differences in what directors mean when they assert that cyber has become âa board issueâ; notwithstanding, cyber security will without unquestionably remain a board/c-suite-level issue for the foreseeable future, it concludes.
The study also revealed some anomalies that highlight a slight susceptibility on the part of cyber-aware c-suites and boards to absorb and regurgitate buzzterms. A proportion of the studyâs interviewees began by asserting that cyber security is now an âexistential riskâ â generally taken to mean a fundamental hazard to the continued existence of their enterprises.
âSurprising,â the report says, âbecause it is very hard to identify a major firm or government organisation that has ceased to exist as a result of a cyber attackâ.