Today, few board members fully understand the risks to their organization’s cybersecurity, according to the recent PwC Annual Corporate Directors Survey. While 66% of board directors believe a cyber breach reflects negatively on themselves personally, and 82% believe expertise in cyber-risk is important to the board, very few board members claim to understand their company’s level of exposure to such threats.
Ignorance is not bliss. This inability to effectively assess cyber-risk throughout the enterprise may turn out to be the most dangerous weakness of all — one that malicious actors can exploit to the fullest extent – and which is not easily addressed. What exactly is the board’s role in addressing such risks, and how should they oversee their corporate teams’ efforts to manage them better?
1. Cybersecurity is a strategic business enabler
Cybersecurity is more than just an IT issue
Strong, effective cybersecurity adds value to the business. Controlling cyber-risk means coordinating and collaborating with business units throughout the enterprise, including the CEO and the board. This ensures the entire enterprise, not just the IT department, is addressing cyber-risk. Further, organizations must instill a culture of cybersecurity by modelling good cyber decision-making:
• Are all executives – the entire C-suite – required to consider the cybersecurity implications of their activities?
• Has your organization discussed how to use cybersecurity as a market differentiator and business driver?
2. Align cyber-risk management with business needs
Boards should understand and assess how cyber-risks are effectively managed to pursue business objectives
By focusing on how cyber-risks impact their business and how to deal with them (by accepting, transferring, avoiding, or mitigating them), organizations can build a security profile that meets the needs of the business. Strategic leadership means ensuring that cyber-risk management conforms to business objectives with every decision, in mergers and acquisitions, digitizing the business, innovation and all other areas.
• Who is the “owner” of cyber-risk in your organization? The business or the security function?
• Are all business units required to report on key cyber-risks and response strategies?
• Is cyber-risk considered in all significant business decisions, such as launching a new product or publishing an app?
3. Understand the economic impact of cyber-risk
Enterprise decision-making requires analysis of the economic impact of cybersecurity choices
For effective business decisions, organizational risk assessments should weigh the costs of cybersecurity against strategic objectives, regulatory and statutory requirements, business outcomes, and the costs associated managing that risk. More than half (55%) of 3,249 business and tech/security executives lack confidence that cyber spending is aligned to the most significant risks, according to PwC’s Global Digital Trust Insights 2021.
• Does your organization apply a consistent framework for calculating the economic impact and likelihood of cybersecurity events?
• Do business decisions consider the costs of compromise on cybersecurity?
• Has your organization set its cyber-risk appetite in the context of the company’s realistic vulnerabilities and strategic goals?
4. Ensure organizational design supports cybersecurity
Organizational structure should support security and strategic goals
Organizations should design an internal governance structure that addresses cybersecurity throughout the enterprise. Clearly define who’s accountable for critical actions and design cybersecurity practices into how the business operates and makes decisions.
• When was the last time you reviewed your organizational structure to ensure that the cybersecurity function is adequately represented throughout the business?
• Which officer has authority and accountability for coordinating cyber-risk strategy throughout the organization? Are they in a senior enough position?
5. Incorporate cybersecurity expertise into board governance
Boards need diverse sources of cybersecurity expertise
In 2020, 28% of S&P 500 companies reported that a member of the board of directors was a cybersecurity expert, up from 23% in 2019 and 7% in 2013. To provide proper oversight of the enterprise’s cybersecurity program, the board needs to understand common risks, challenges, and failures. To educate themselves, directors may consult industry and other guidance, board peers and third parties, and internal resources.
• Does your board have the right relationships inside and outside the organization to build their security knowledge?
• How many, if any, board members have cyber expertise?
• How often do you get input from third-party experts and assessors, who report to the board, to ensure effective oversight of management?
6. Foster systemic resilience and collaboration
Boards can take the lead in improving the cyber-resilience of industries and sectors
It takes a virtual village to fight cybercrime. Recent events have taught us that even the best cybersecurity-focused companies can be compromised by a sophisticated actor. Knowing that it is a matter of when, not if, attackers will be successful, it is important to be ready to respond and limit the damage of any attack. Security breaches may affect an entire sector and working with peers and even competitors can be crucial for systemic, industry-wide resilience. Stress-testing resilience plans is one of the lasting lessons from the pandemic. Risk leaders in the US say that in 2021, stress-testing will become more frequent and commonplace, both internally and externally. Boards can set the tone at the top for how inter-organizational relationships should look and set the expectation of management for cyber-risk collaboration.
• How well do you collaborate with peers, including other board members, to raise the baseline cybersecurity of the industry as a whole?
• Does your organization interact with its public-sector counterparties to understand the resilience issues facing the industry?
Read more at Woods LLP
Licensed from https://www.weforum.org/agenda/2021/01/cyber-security-governance-principles/