Business protection from cyber threats must be rooted in the reality of the world we live in
The role of the Board with regards to cybersecurity is a topic that keeps coming back and is often addressed in simplistic terms in my view.
I don’t think it makes sense to look for “one-size-fits-all” answers to the problem, given the number of parameters at play.
Macroeconomic conditions affecting the business at large, industry-specific aspects of the threat and incident landscape, and in particular the history of the company with cybersecurity and its cyber maturity levels (actual or perceived), are all aspects that should affect the attitude the Board takes with regards to the matter.
I wrote on the topic on three occasions, first in 2016, in the wake of the widely publicised TalkTalk data breach in the UK, then again in 2019, following the 2017 Wannacry & NotPetya outbreaks as well as a number of high profile breaches (Equifax, Marriott, British Airways to name a few), and finally in 2022 in response to a piece in the HBR that had attracted my attention.
It is relatively easy to address the problem from a post-breach perspective, as I was doing in 2016 and 2019: The emergency context creates a natural agenda for Board members to follow, which they would have encountered in a number of similar crisis-related situations.
It is more difficult to set the tone in a context where the “when-not-if” paradigm around cyberattacks is turning them into an ongoing reality.
There is also an amount of confusion – in my opinion – in many pieces on the topic with regards the role of the Board from a corporate governance perspective, and particular in relation to the role of the executive – or leadership – team (i.e. the group of people around the CEO actually running the firm and delivering on its strategic and operational objectives). I must admit I might have been guilty of that myself in the past to some extent, and this article is also about re-formulating some positions I took in earlier pieces.
Fundamentally, the Board has a duty of oversight over the executive. It should, amongst other things, ensure that the business is adequately protected from all existential and critical threats, not just cyber threats. It is a duty the Board has towards shareholders, but also employees, customers, regulators and in some cases, society at large for critical national operators.
So in a first instance, the Board should ensure it has a sound appreciation of the threat landscape the business is facing, in terms of potential threats agents, their motivations, degree of sophistication and potential targets.
In some cases, this knowledge and these considerations would have been there for a long time on the Board’s agenda: Afterall, global threats did not appear overnight. But this assessment needs to be kept up to date, in particular in relation to cyber threats, and if specific knowledge is missing on some aspects, it needs to be brought in through independent directors or special advisors.
But in all cases, this is something the Board needs to develop in their own terms and in their own language.
Then the Board should look for unequivocal accountability within the executive team for the protection of the business. And this should go as far as impacting remuneration and compensation for the executives involved.
This may be hard to establish in the face of growing and personal liabilities, but it is not something that should be delegated down, below the executive team, in particular when it comes to cyber threats on the basis that they might be “too technical”: As I was writing back in 2022, this is no longer about “wheeling in the CISO twice a year” after something has gone wrong or to put a tick in some compliance box.
The reporting between the Board and the executives in charge should be framed in relation to the history and maturity of the firm with regards to its protection from the threats it faces.
For example, irrespective of past accountabilities, it seems unthinkable that cyberthreats would not have appeared on the Board’s agenda in recent years, given the amount of media coverage around some breaches, and the fact that each and every large organisation would have faced some form of incident or near-miss at some stage.
Having set an unequivocal level of accountability with one executive for cybersecurity, the Board may want to revisit the history of the firm with regards to cyber protection, to ensure that mistakes are not repeated, that funding is sufficient and overall, that the right timeframes are set and respected, in particular over the mid to long-term horizon if large scale transformative efforts are required around cybersecurity.
We start to see a list of topics emerging, broadly matching my earlier pieces, around the “key questions the Board should ask”, but more than ever, executive accountability is key in the face of current threats to start building up a meaningful and powerful top-down dialogue around cybersecurity.
Readers may notice that I have not used the word “risk” even once in this article.
Ultimately, risk is about things that may or may not happen: In the face of the “when-not-if” paradigm around cyber threats – and increasingly other threats as well – it is essential for the Board to frame and own business protection as a topic rooted in the reality of the world we live in, not some hypothetical matter which could be somehow mitigated, transferred or accepted.
This is not just a matter of language, but a matter of mindset and it is absolutely key to building meaningful engagement from the board down and across the firm around cybersecurity.
About the Author
JC Gaillard is the author of “The Cybersecurity Leadership Handbook for the CISO and the CEO” and “The Cybersecurity Spiral of Failure“; he is a leading strategic advisor and a globally-recognised cybersecurity thought-leader, founder and CEO of Corix Partners and Fellow of the Chartered Institute of Information Security the UK.
Featured image: Adobe