A cyberattack can have a lot of consequences, both operational, legal and financial, and it is ultimately the board’s responsibility to manage the risk of a cyberattack. Cybersecurity should be considered part of the general risk governance. The importance of cybersecurity has been emphasised by the major cyberattack on Maersk, which wiped out their entire IT infrastructure, and most recently by the attack on Demant. If it can happen to Maersk and Demant, it can happen to anyone.
What role should the board take?
We are not saying that you as a board member need to become the ultimate cybersecurity expert. But there is no doubt that the board has a responsibility to ensure that this topic is an integral part of the company’s processes and risk governance.
It is important to understand that cybersecurity defences need to be layered and include a range of different measures, embracing technology solutions, user education and effective policies. There is no simple fix-all solution to cybersecurity, and it is a constantly evolving area requiring constant focus and attention.
So where to begin? Our recommendation would be to ensure that your board can check off the following four boxes in terms of cybersecurity: Understanding, Capabilities, Resources and Culture.
For the board to understand the risk facing the business, you need to have sufficient insight into cybersecurity and the cybersecurity policies and procedures of the business to be able to ask qualified questions and understand the answers within these areas.
The board must understand how a cybersecurity incident can affect the business and thus ensure that the necessary contingency measures are in place. This requires basic understanding of the IT infrastructure and the cybersecurity posture beyond just being presented to some basic risk and efficiency metrics.
We would therefore recommend that you as the board ask the following questions of the organisation:
- What is the worst possible scenario for a cyberattack on us?
- Which GDPR-regulated data are we handling?
- What is our business continuity plan if a cyberattack eliminates the entire IT infrastructure?
- When was our incident response plan last tested?
- What were the learnings, and which changes and improvements were made after the test?
These questions should be asked of the people in the organisation who are directly responsible for these areas. In most cases, this will be the CIO and the CISO. But it is also important to get input from other relevant stakeholders, for instance the DPO or risk manager if such a role exists in your organisation.
It may be necessary to look across the board composition to make sure that you have profiles with the required expertise to evaluate the adequacy of the responses to the above questions. You need to be able to verify that the company’s risk governance applies to all aspects of the business, not just the IT department.
One way for the board to evaluate the company’s cybersecurity posture is to consider the company’s cybersecurity capabilities and readiness within the following areas as set out by the US National Institute of Standards and Technology Cybersecurity Framework. This framework identifies five overall cybersecurity functions that “represent the five primary pillars for a successful and holistic cybersecurity program” . The framework can be applied by the board as a checklist to ensure that the organisation has a sufficient level of security in place.
The framework consists of the following five functions:
In short, the framework aims to help companies verify that they have the necessary capabilities in place to handle all five aspects of a cyberattack. As the board, you have an obligation to ensure that the above capabilities within all five functions are in place. And if they are not, you should make it a priority for the executive team to get them in place. There are several other similar frameworks from other institutions, and they can be helpful as checklists in ensuring that your risk governance is up to speed.
However, getting the right capabilities in the organisation may be easier said than done. Cybersecurity resources and capabilities are in great demand, and it is difficult to get the right resources. And without access to cybersecurity resources, it is impossible to maintain the required level of preparedness and ability to execute within the organisation.
You need to ensure that the right resources are available to the organisation, either internally or via an external partner. Working with an external partner can often provide access to more specialised resources and competences, ensuring that the right resources are available at the right time. For each aspect of cybersecurity, the board should understand which resources are available and evaluate whether the competences and experience these individuals have match the requirements.
For the board to understand the actual capabilities and resources in the organisation, you should ask specific questions such as:
- How many cybersecurity specialists do we have in the team?
- Who can we call for further help and assistance? And how fast can they help us?
- When was the last time we tested our readiness?
Last, but certainly not least, culture is a major success criterion for any company to achieve a successful cybersecurity programme. Security issues often occur because of the way users use the technology available to them. In most cases, this is not because the user has malicious intentions but simply because of ignorance or choosing the easy way in a busy workday.
To avoid this, it is important to establish a culture of security awareness. This is no simple task and usually requires quite a lot of work. It is therefore critical that both the board and the executive team lead the way by acting as role models, demonstrating constant focus on security and promoting and supporting a security-oriented culture.
But to act as role models, you need to have an understanding of how cybersecurity works in practice as well as in-depth insight into the policies, procedures and processes in place throughout the organisation.
How do we start tomorrow?
By strengthening the focus on cybersecurity throughout the company with cross-functional cooperation, your company will also be able to optimise your value chain and achieve faster deployments, fewer reruns and consequently more satisfied customers in addition to strengthening your cybersecurity.
But it is a prerequisite that the entire company begins to think in terms of end-to-end processes from a security perspective. Not least the board.
Some board members would argue that cybersecurity is too technical and should therefore not be a board matter. However, with the right approach, we will argue that you can start improving your company’s cybersecurity tomorrow.
Here is how you can begin:
- Together with your executive team, discuss and define how you can make cybersecurity an integral part of the business, and how you can think risk governance from an end-to-end perspective
- Decide on and communicate risk strategy and risk tolerance level on cybersecurity. How quickly do you want to be back in business? What can the employees do?
- Start the search for a board member with cybersecurity knowledge
- Ask for frequent reporting on attacks and the depth of these
- Seek sparring from other boards
- Consider taking more educational steps for the board on the topic
You can indeed start strengthening your cybersecurity tomorrow. Just be open to new ways of working and make sure that cybersecurity is an integral part of the company’s risk governance. It should be incorporated in everything from digital solutions to cultural development.
The article was originally published in Board Perspective 25 November 2019.