Cyber risk is a business risk. Ransomware attacks hold organizations hostage and disrupt business operations. Data leakage results in serious brand damage and penalties.
Global cyberspace is witnessing threats unlike ever before. Modern-day attacks are targeted, researched, and orchestrated through intelligent reconnaissance. Hence, the success rates for the attackers are high. There are around 750 million malware programs in the world and 250,000 being created DAILY. The spend on Cyber Security in 2004 was close to $3 Bn and in 2020, it was close to $125 Bn. Ease of attack and rewards to attackers are growing and the cost to defend is expanding.
According to IBM research: “Taking into account that the average cost of a data breach today is $3.9 million inclusive of legal fees, fines, lost productivity, crisis response efforts, remediation, and that the loss of intellectual property, competitive insights, or consumer trust can often be the greatest source of long-term damage in the wake of a data breach”.
As stated by John Noble – the former director of the United Kingdom’s National Cyber Security Centre and a board member of NHS Digital: “Cybercrime is becoming industrialized. Vulnerabilities are identified by one set of groups that then share the information with criminal groups.”
In addition, Boards of Directors can also be held personally liable for the damages, as seen in the 2019 Yahoo! Case.
There is absolutely no doubt about the fact that cyber-attacks have the potential to impact our national security and economy. Looking at the global pandemic, cyber threat resulting into serious information risk has become the new normal.
As a result, Cyber Security risk is not a concern managed by the Chief Information Security Officer (CISO) alone. It is no more an IT issue; it is increasingly becoming a board-level issue that requires executive leadership and support. It is an organizational imperative and an Executive Board responsibility.
According to securitymagazine.com: “Boards need to understand and approach Cyber Security as an enterprise-wide risk management issue and should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.”
The Forrester study found that just 54% of security leaders and 42% of business executives say their Cyber Security strategies are completely or closely aligned with business goals.
But now, things are changing and they are changing for good. Gartner Predicts 40% of Boards will have a Dedicated Cyber Security Committee by 2025. “To ensure that cyber risk receives the attention it deserves, many boards of directors are forming dedicated committees that allow for discussion of Cyber Security matters in a confidential environment, led by someone deemed suitably qualified. This change in governance and oversight is likely to impact the relationship between the board and the Chief Information Security Officer (CISO)” said Sam Olyaei, research director at Gartner. “
For years have the CISOs struggled to bring up to the management’s focus the importance and risks associated with cyber-attacks. This change in Board’s approach will help CISOs to more efficiently design and manage the Cyber Security programs. CISOs and business executives will be better aligned to defend against cyber risks. Cyber Security priorities will evolve as a business strategy and the role of the CISO will become much more strategic.
Based on my experience so far, one of the best starting points is to conduct a Cyber Security workshop for the Board and the members of the senior management. NIST Cyber Security Framework (CSF) is a good way to do it.
CSF provides a strategic view of the Cyber Security program. It helps better understand the risk landscape and maturity of the organization’s Cyber Security program (Cyber Security Maturity Dashboard and Risk Matrix). CSF also enables organizations to better align Cyber Security strategy with business goals and quantify business impact of cyber risk.
The next step is to define security controls based on the business drivers and the understanding of the company’s crown jewels that must be protected at all costs.