Making Cybersecurity a Priority in the Boardroom

Cyber risks are ever-increasing in the Covid-19 era. On one hand, businesses are going through a radical transformation while on the other, the attack surface is rapidly expanding due to more people working from home. There is increased pressure on executive teams to step-up and get a better handle on cybersecurity.

Cybersecurity governance is complex and can pose several challenges

The World Economic Forum (WEF) ranks cybersecurity amongst the top ten risks of immediate concern. This reaffirms the need for company boards to reprioritize cybersecurity and establish common standards and best-in-class reporting to identify risks systematically. The sad reality of it is that 40% of board members admit that cybersecurity isn’t a regular item on the agenda.

1) Cybersecurity isn’t always a priority

Is cybersecurity a priority in the boardroom? The answer is, it depends, and it depends on several factors: did the business suffer a recent attack? Is the business in a high-compliance industry like insurance, healthcare, or banking? Ernst & Young reports that two-thirds of businesses consider cybersecurity merely as an afterthought instead of including it in the planning stage of new business initiatives.

2) Board lacks familiarity with cybersecurity issues

The cybersecurity beast is difficult to understand and tame, especially for the board. Attack vectors are constantly evolving and boards struggle constantly to align their understanding of risk exposure. Often board members end-up discussing low-level operational security metrics (usually compiled by IT staff) which are not aligned to the organization’s strategic goals.

Another weakness is the ability of the CISO or CIO to articulate the business value and the risk of investing in, or not investing in cybersecurity, in a language that is meaningful to the board.

3) Lack of quantification and consistency in reporting

Measuring the effectiveness of cybersecurity processes is hard, especially in the absence of a standard set of industry principles or metrics. For example, a CFO can speak the language of EBITDA and the board understands it.

In the case of cybersecurity, most performance metrics (number of hacking attempts, phishing scams, breaches, etc.) are tied to the technology itself. Reports are downloaded and compiled from security products hence, they lack standardization. If the CISO changes the technology, the reporting format and performance metrics change too.

4) Difficult to assess the scale of risk

Unlike traditional risk models (risks associated with physical and financial assets) that are easier to measure and report, cyber-risk is extremely difficult to measure and the scale of risk can range from mildly problematic to existentially threatening. Unless the CISO demonstrates something substantial or compelling that is valuable to the board (for example business losses, brand or reputation damage, regulation violation or data breach fines, IP theft, etc.), it could lead to an underestimation of risk, subsequently making the organization vulnerable to attacks.

5) Confusion on who owns/manages cyber-risk

Historically, cybersecurity is seen as a function of IT and it is very likely the CIO will give cybersecurity a passing mention at board meetings. Research suggests that financial losses could be 46% higher in companies where the CISO reports to the CIO. Board members might be knowledgeable in steering the organization through complex financial risks but, when it comes to cybersecurity they themselves lack experience.

CISOs can get a grip on cybersecurity by following these four recommendations:

Reclaim remote work security by moving to the cloud and adopting virtual desktops

Due to the global pandemic, more organizations will make remote/home working a permanent feature. To be productive employees are going to need a consistent and seamless experience whether they are at home, in the office or on the road. To achieve this, many organizations are moving to a cloud model with virtual desktops, such as the recent joint announcement from Microsoft and Citrix. The benefit to organizations is that not only do virtual desktops deliver a seamless experience, they are more effective at protecting the organization’s data and applications.

Foster a culture of cybersecurity -- start from the top

It’s not just a problem of finding the right cybersecurity tools, but also one of management awareness and cybersecurity acumen at the highest levels. Security must be everyone’s responsibility and board members must take an active role to foster a culture that follows security best practices.

Focus on risk to quantify cybersecurity and ROI to justify investment

There is enough guidance available from cybersecurity frameworks such as NIST, COBIT, CIS Top 20, or the National Association of Corporate Directors (NACD), that can help build a strategy for technology-agnostic metrics. Technologies like Citrix VDI for example can help reduce the attack surface significantly, provide risk metrics and also help reduce overall cost of ownership.

With virtual desktops, IT staff, already facing a shortage of talent, no longer have to patch or manage, say, 1,000 laptops, 500 phones and 20 backend servers. They simply handle maintenance functions centrally while users login via their own devices. This reduces capital expenditures and the board understands this form of ROI.

Appoint a multi-disciplinary cybersecurity committee

Experts suggest that there ought to be multi-disciplinary oversight structures within the organization (such as HR, Audit, Legal, etc.) so that business does not lose sight of governance and risk. It’s advisable to split reporting lines in such a way that day-to-day security stays with IT, while governance, oversight, policy and compliance moves out of IT and possibly straight to the CEO or the board. In this way conflict between CIO and CISO is avoided, with checks and balances in place.

Cyber risks are real and inevitable. To ensure cybersecurity remains a priority in boardrooms, CISOs must learn to quantify cyber risk at the same level as that of financial risk or reputational risk.

Fortunately, there are tools on the market that not only redefine workspaces, but also significantly boost the ability of a CISO to analyze the attack surface, compute a risk score for the enterprise and report cyber risk to the board.

What’s Hot on Infosecurity Magazine?