When IT security and risk leaders make cyber security ‘business relevant’, the cyber-committed CEO and board of directors become ‘engaged, not just involved’. This point, which informs the principle message of Accenture’s briefing document The Cyber-Committed CEO and Board (2017) has resonated louder in recent years than when it was first published.
However, any organisation’s cyber-committed senior executives now have to ramp-up those levels of engagement if the organisations they lead are not to continually be weakened by a bifurcated vision of how business and security exigencies leverage each other’s strengths.
In most European organisations the c-suite is accountable for the gamut of its decrees, and ‘plausible deniability’ (the ability to deny knowledge of or responsibility for any damnable actions committed by others in a hierarchy because of a lack of evidence that confirms their participation) is no longer an excuse. Boards directors and senior managers should include potential and evidential cyber threats and solutions in corporate governance debates, as they seek to understand and manage the business impacts incidents bring.
Chief officers also have to proactively educate themselves about the cyber security issues, and not sit back and wait to be briefed by IT security confreres at quarterly meetings. They are fortunate in that they now have more executive-friendly sources of security information at their disposal than they previously had.
“When a cyber attack hits, you are potentially faced with an existential crisis that you’ve never faced before,” says a chairman quoted in the 2019 AON/FT review, Safeguarding Value in the Era of Cyber Risk. “You cannot underestimate the human response to such an incident, a situation that will change constantly requires a great degree of flexibility in crisis-response plans. The board and executive are on such high alert that it’s difficult to stay within a rigid structure.”
Introduced in May 2018, the EU’s General Data Protection Regulation – GDPR – has also had an important effect on the improvement of c-suite awareness on cyber issues, according to another quotee in the AON/FT review: “GDPR has made companies really understand their [ICT] systems,” they said, “and [improved] their internal understanding of the impact of cyber threats… As a process, [GDPR] has [also] allowed the acceleration of knowledge at the c-suite level.”
C-suite involvement in cyber governance and defensive decision taking will not, perforce, result in a comparatively short-term improvement in a typical organisation’s cyber defensiveness. And while 79% of directors questioned last year (2019) by BDO’s annual Cyber Governance Survey claim they have avoided a data breach or incident in the past two years, public company boards are becoming more involved in cyber oversight; 72% of board-level respondents confirmed the board is more involved with cyber governance than they were in the 12 months prior to the time of the survey.
The Cyber Governance Survey also found that as boards become more involved in cyber security decisions (especially due to regulatory changes and reputational damage concerns), the ‘cadence of reporting on cyber security is increasing’: 32% of senior execs polled report that they are briefed at least quarterly on cyber security, while 54% are briefed at least annually.
However, 9% of boards indicate they are still ‘not being briefed on cyber security at all’. During the initial four years BDO conducted the Cyber Governance Survey, the percentage of directors reporting no cyber security briefings dropped consistently, and during the 2018-2019 year, that number has ‘held steady’.
The reasons why nearly 10% of c-suites/boards are not in scheduled communication with their IT security personnel are less clear, especially given the fact that the individuals involved now bear professional culpability for both regulatory compliance and legal liability in the event of a successful cyber attack against their organisations.
It’s possible that some c-suites/boards feel too overstretched by other demands that they have marginalised their interest in cyber security, or do not regard it as a business reality priority. There is no doubt that assuming greater responsibility for cyber governance constitutes an additional imposition on their schedules.
Grant Thornton’s Cyber Security: The Board Report (2019) points out that the impact of regular cycles of cyber attacks ‘places a huge burden’ on the senior executive, especially those who will have designated roles in the business continuity and incident response plans. During serious incidents, typically the CFO, the CIO and CLO/General Counsel commit 100% of their time until the crisis is resolved, and the CEO around 50% of their time. Vital response activity may last for weeks, and cause chief officers to have to postpone important appointments and other work.
EXECUTIVE CYBER RESPONSIBILITY IS EXTRA BURDEN
‘The knock-on impact is considerable,’ Cyber Security: The Board Report points out. ‘Decisions are delayed, and plans are put on hold as senior leaders’ attention is diverted away from their day jobs. The effect spreads across the organisation: employees lose confidence in the leadership team and pride in the organisation’. In its commentary, Grant Thornton recommends that enterprise cyber security be made the responsibility of a specific board member in order to ‘stop cyber risk management slipping through the net’.
Its research indicates that organisations which appoint a specific board/c-suite member to this role ‘suffer lower average losses in the event of successful attack’ than those that do not do so. In Grant Thornton’s client experience, organisations most frequently choose the CIO or CTO to fulfil the role (as the IT security lead, the CISO is likely to be committed to the front-line remedial activity). Yet, in its view, it is worth considering a different board member, one without any particular technology specialism.
‘The CFO (Chief Financial Officer) would be a good choice,’ Cyber Security: The Board Report states. This is because ‘in most mid-market companies, it is the CFO who is typically responsible for the risk. Making cyber security their responsibility underlines the fact that cyber risk is a business risk, like any other, that needs to be managed’.
A further advantage, Cyber Security: The Board Report says, is that in business, there is often a natural tension between operational targets and cyber security targets: ‘Should the priority be to minimise interruption to operational systems (and therefore limit or delay software updates)? Or should maximum security be the priority, even if frequent updating means users cannot access business systems for hours or sometimes days?’
A board member who is neither the COO or CIO has the benefit of a degree of distance on the debate and is perhaps positioned to find a better balance, Cyber Security: The Board Report observes. The UC Berkeley’s Center for Long-Term Cybersecurity (CLTC)’s study Considerations for Effective Oversight of Cyber Risk (2019) is one of the first to focus on questions around how should boards of directors oversee cyber security risk for large global organisations.
The study found there is no single governance ‘playbook’ for cyber that can be applied across sectors and risk profiles. It determined that cyber security risk requires ‘a different, more dynamic governance model than is common among boards for handling other risks’, a mindset the study defines as ‘resilient governance’.
Boards feel a ‘deep sense of urgency to exercise a central role in improving cyber security postures and outcomes’ for their organisations, the study reports. This attitude is appropriate, because by most common measures cyber security problems are ‘morphing and mounting in importance faster than they are being solved or managed’, the study adds.
The CLTC and Booz Allen Hamilton study also found that there are in fact significant differences in what directors mean when they assert that cyber has become ‘a board issue’; notwithstanding, cyber security will without unquestionably remain a board/c-suite-level issue for the foreseeable future, it concludes.
The study also revealed some anomalies that highlight a slight susceptibility on the part of cyber-aware c-suites and boards to absorb and regurgitate buzzterms. A proportion of the study’s interviewees began by asserting that cyber security is now an ‘existential risk’ – generally taken to mean a fundamental hazard to the continued existence of their enterprises.
‘Surprising,’ the report says, ‘because it is very hard to identify a major firm or government organisation that has ceased to exist as a result of a cyber attack’.