The 3 Biggest Mistakes the Board can Make around Cyber Security
The protection of the business from cyber threats is something you need to grow, not something you can buy
The role of the Board in relation to cyber security is a topic we have visited several times since 2015, first in the wake of the TalkTalk data breach in the UK, then in 2019 following the WannaCry and NotPeyta outbreaks and data breaches at BA, Marriott and Equifax amongst others. This is also a topic we have been researching with techUK, and that collaboration resulted in the start of their Cyber People series and the production of the “CISO at the C-Suite” report at the end of 2020.
Overall, although the topic of cyber security is now definitely on the board’s agenda in most organisations, it is rarely a fixed item. More often than not, it makes appearances at the request of the Audit & Risk Committee or after a question from a non-executive director, or – worse – in response to a security incident or a near-miss.
All this hides a pattern of recurrent cultural and governance attitudes which could be hindering cyber security more than enabling it.
There are 3 big mistakes the Board needs to avoid to promote cyber security and prevent breaches.
1- Downgrading it: “We have bigger fishes to fry…”
Of course, each organisation is different and the COVID crisis is affecting each differently – from those nearing collapse, to those which are booming.
But pretending that the protection of the business from cyber threats is not a relevant board topic now borders on negligence and is certainly a matter of poor governance which non-executive directors have a duty to pick up.
Cyber attacks are in the news every week and have been the direct cause of millions in direct losses and hundreds of millions in lost revenues in many large organisations across almost all industry sectors.
Data privacy regulators have suffered setbacks in 2020: They have been forced to adjust down some of their fines (BA, Marriott), and we have also seen a first successful challenge in Austria leading to a multi-million fine being overturned (EUR 18M for Austrian Post). Nevertheless, fines are now reaching the millions or tens of millions regularly; still very far from the 4% of global turnover allowed under the GDPR, but the upwards trend is clear as DLA Piper highlighted in their 2021 GDPR survey, and those number should register on the radar of most boards.
Finally, the COVID crisis has made most businesses heavily dependent on digital services, the stability of which is built on sound cyber security practices, in-house and across the supply chain.
Cyber security has become as pillar of the “new normal” and even more than before, should be a regular board agenda, clearly visible in the portfolio of one member who should have part of their remuneration linked to it (should remuneration practices allow). As stated above, this is fast becoming a plain matter of good governance.
2- Seeing it as an IT problem: “IT is dealing with this…”
This is a dangerous stance at a number of levels.
First, cyber security has never been a purely technological matter. The protection of the business from cyber threats has always required concerted action at people, process and technology level across the organisation.
Reducing it to a tech matter downgrades the subject, and as a result the calibre of talent it attracts. In large organisations – which are intrinsically territorial and political – it has led for decades to an endemic failure to address cross-silo issues, for example around identity or vendor risk management – in spite of the millions spent on those matters with tech vendors and consultants.
So it should not be left to the CIO to deal with, unless their profile is sufficiently elevated within the organisation.
In the past, we have advocated alternative organisational models to address the challenges of the digital transformation and the necessary reinforcement of practices around data privacy in the wake of the GDPR. They remain current, and of course are not meant to replace “three-lines-of-defence” type of models.
But here again, caution should prevail. It is easy – in particular in large firms – to over-engineer the three lines of defence and to build monstrous and inefficient control models. The three lines of defence can only work on trust, and must bring visible value to each part of the control organisation to avoid creating a culture of suspicion and regulatory window-dressing.
3- Throwing money at it: “How much do we need to spend to get this fixed?”
The protection of the business from cyber threats is something you need to grow, not something you can buy – in spite of what countless tech vendors and consultants would like you to believe.
As a matter of fact, most of the breached organisations of the past few years (BA, Marriott, Equifax, Travelex etc… the list is long…) would have spent collectively tens or hundreds of millions on cyber security products over the last decades…
Where cyber security maturity is low and profound transformation is required, simply throwing money at the problem is rarely the answer.
Of course, investments will be required, but the real silver bullets are to be found in corporate culture and governance, and in the true embedding of business protection values in the corporate purpose: Something which needs to start at the top of the organisation through visible and credible board ownership of those issues, and cascade down through middle management, relayed by incentives and remuneration schemes.
This is more challenging than doing ad-hoc pen tests but it is the only way to lasting long-term success.