The increasing occurrence of cybersecurity breaches – such as the recent case at eBay when it is believed more than 145 million user accounts were infiltrated – is causing executives around the globe to seek ever more sophisticated solutions to prevent future violations . As they review their procedures, tighten their operational environment and add additional levels of security, finding the optimum formula is still proving elusive.
Advances in security architecture and cyber-defence tactics have helped address some risks, but they are inefficient and unsustainable when faced with the more adaptive, embedded and interconnected capability of the current threat. Strengthening network resilience is important but management responses seem overwhelmingly reactive. The criminal cyber threat is nimble and intensely focused and, thanks to its financial success to date, has the wherewithal to invest in innovation and scale, often leaving corporate security trailing in its wake.
Given that the cost of cybercrime to the UK is currently estimated to be between £18 billion and £27 billion, it is essential that boards play a more proactive role. At an operational level, working on the basis that they will be faced with a cyber-attack at some point, leadership teams need to anticipate the business risk and develop counter-measures and business continuity plans which will minimise the disruption.
But how do they do this and who should be in charge of driving the corporate agenda on cybersecurity?
As boards acknowledge that technology on its own is not enough, companies need the addition of strong, well-organised management with a broad range of technical and non-technical capabilities.
In many instances, the responsibility for cybersecurity falls on the CIO. This is perfectly understandable but IT risk and information security have now become business issues and not simply technical ones. Additionally, there is no department that is immune to a cyberattack, or that shouldn’t consider that certain activities undertaken within that department may give rise to a security breach, generated either internally or externally. The challenge here is to oversee the organisation’s enterprise-wide risk management in an effective way that balances managing risks while adding value to the organisation.
In an increasing number of companies, we are starting to see the creation of a new senior role on the leadership team, that of the Chief Security Officer (CSO). Whilst the position of Head of Security is not new, the role has changed considerably in scope of responsibility. Some organisations are also distinguishing between the Head of Physical Security and the Head of Data Security.
Working alongside the CIO, the CFO and others, one of the CSO’s responsibilities is to advise the board and senior executive team on existing risk management procedures. He/she must be able to demonstrate the effectiveness of these procedures in identifying, assessing, and managing the organisation’s most significant enterprise-wide risk exposures. As boards consider these risks, they must decide whether their current risk oversight and governance processes enable them fully to understand the potential impact on corporate strategy.
The CSO’s position must interface with other business areas such as IT, Legal, Human Resources, operations and corporate communications. Therefore, even though heads of IT possibly could take on this role, suitable candidates must have a strong commercial ethos as well, with a global view on the impact of the cyber threat and a solid understanding of the changing threat landscape.
The scope of this level of awareness needs to encompass a range of assets, systems and activities, including some perhaps not previously considered as ‘at risk’. These will include assets held by external organisations – such as suppliers – since attacks frequently come indirectly through these third parties. Earlier this year, Target, the USA’s second largest discount retailer reported that the personal information of as many as 110 million customers was compromised after hackers reportedly installed malware onto the retailer’s point-of-sale machines through one of its suppliers.
Given the need to establish a balance between creating and sustaining a secure environment, whilst also enabling end-users to work unhindered, an experienced CSO should also be a strong team player capable of embracing and managing change and collaborating with others through information and intelligence sharing. Finding someone with the right credentials for the role is a challenge. Growing demand is already outstripping supply of the most qualified people, so CEOs may need to consider executives who have some – but maybe not all – the skills required, and provide the time and facilities for that person to develop accordingly.
How the board views and responds to the cyber threat is equally important. As with many aspects of the board’s role, this is as much about knowing what questions to ask – and being satisfied as to the quality of the answers – as it is about expert or technical knowledge. Indeed, discussing the technical minutiae is almost certainly not the best use of the board’s time. Rather, and this will become increasingly an issue to be reviewed in annual reports and regulatory processes, the board will need to demonstrate to stakeholders – investors, customers, employees and regulators where relevant – that they are fulfilling their responsibility of assurance: setting the strategic framework and holding management to account.
In the final analysis, the cyber threat is a question of ‘when’ rather than ‘if’, and organisations need to prepare accordingly, even though the nature and target of the threat are constantly changing . What hasn’t changed, however, is the responsibility of security specialists, management teams and boards to provide technical capability, business resilience and strategic oversight respectively.