The 3 Biggest Mistakes the Board can Make around Cybersecurity
Although the topic of cybersecurity is now definitely on the board’s agenda in most organizations, it is rarely a fixed item. More often than not, it makes appearances at the request of the Audit & Risk Committee or after a question from a non-executive director, or – worse – in response to a security incident or a near-miss.
All this hides a pattern of recurrent cultural and governance attitudes which could be hindering cyber security more than enabling it.
There are 3 big mistakes the Board needs to avoid to promote cybersecurity and prevent breaches.
1. Downgrading it – “We have bigger fish to fry…”
Of course, each organization is different and the COVID crisis is affecting each differently – from those nearing collapse to those which are booming.
But pretending that the protection of the business from cyber threats is not a relevant board topic now borders on negligence and is certainly a matter of poor governance which non-executive directors have a duty to pick up.
Cyber attacks are in the news every week and have been the direct cause of millions in direct losses and hundreds of millions in lost revenues in many large organizations across almost all industry sectors.
Data privacy regulators have suffered setbacks in 2020: They have been forced to adjust down some of their fines (BA, Marriott), and we have also seen a first successful challenge in Austria leading to a multi-million fine being overturned (EUR 18M for Austrian Post). Nevertheless, fines are now reaching the millions or tens of millions regularly; still very far from the 4% of global turnover allowed under the GDPR, but the upwards trend is clear as DLA Piper highlighted in their 2021 GDPR survey, and those numbers should register on the radar of most boards.
Finally, the COVID crisis has made most businesses heavily dependent on digital services, the stability of which is built on sound cybersecurity practices, in-house and across the supply chain.
Cybersecurity has become a pillar of the “new normal” and even more than before, should be a regular board agenda, clearly visible in the portfolio of one member who should have part of their remuneration linked to it (should remuneration practices allow). As stated above, this is fast becoming a plain matter of good governance.
2. Seeing it as an IT problem – “IT is dealing with this…”
This is a dangerous stance at a number of levels.
First, cybersecurity has never been a purely technological matter. The protection of the business from cyber threats has always required concerted action at the people, process, and technology level across the organization.
Reducing it to a tech matter downgrades the subject, and as a result the caliber of talent it attracts. In large organizations – which are intrinsically territorial and political – it has led for decades to an endemic failure to address cross-silo issues, for example around identity or vendor risk management – in spite of the millions spent on those matters with tech vendors and consultants.
So it should not be left to the CIO to deal with unless their profile is sufficiently elevated within the organization.
In the past, we have advocated alternative organizational models to address the challenges of the digital transformation and the necessary reinforcement of practices around data privacy in the wake of the GDPR. They remain current, and of course are not meant to replace the “three-lines-of-defense” type of models.
But here again, caution should prevail. It is easy – in particular in large firms – to over-engineer the three lines of defense and to build monstrous and inefficient control models. The three lines of defense can only work on trust, and must bring visible value to each part of the control organization to avoid creating a culture of suspicion and regulatory window-dressing.
3. Throwing money at it – “How much do we need to spend to get this fixed?”
The protection of the business from cyber threats is something you need to grow, not something you can buy – in spite of what countless tech vendors and consultants would like you to believe.
As a matter of fact, most of the breached organizations of the past few years (BA, Marriott, Equifax, Travelex, etc… the list is long…) would have spent collectively tens or hundreds of millions on cybersecurity products over the last decades…
Where cybersecurity maturity is low and profound transformation is required, simply throwing money at the problem is rarely the answer.
Of course, investments will be required, but the real silver bullets are to be found in corporate culture and governance, and in the true embedding of business protection values in the corporate purpose: Something which needs to start at the top of the organization through visible and credible board ownership of those issues, and cascade down through middle management, relayed by incentives and remuneration schemes.
This is more challenging than doing ad-hoc pen tests but it is the only way to lasting long-term success.
By JC Gaillard, Managing Director at Corix Partners