Is the board well prepared to deal with cybersecurity?

Cristina De Luca -

March 31, 2021

In companies and governments, leaders need to understand and take cyber risk into account in their strategic decisions. We live in a volatile environment, in a data-driven society that requires managers increasingly prepared to respond to disruptions caused by technology.

It is necessary to transform business models, identify opportunities and threats, and design internationalization strategies in the global market. All of these are everyday management tasks.

For instance, if cybercrime were a nation, it would be the third largest economy, behind only the USA and China, surpassing the entire global drug trade. It will cost us more than $ 6 trillion in 2021, with a projected growth of 15% year after year, according to Chase Lee, founder and CEO of Trustpage.

It is time to treat trust not as a cost center, but as an asset and act accordingly. But how? This is what the extensive report “Principles for Board Governance of Cyber ​​Risk” addresses, published recently by the World Economic Forum in partnership with PwC.

There is little practical guidance on what corporate boards should consider in organizations’ governance when it comes to cybersecurity. Many advisers recognize that cybersecurity is a risk that requires specific attention. However, most boards strive to define a comprehensive approach to cybersecurity that really manages risk, rather than implementing “standard” control structures, in the hope that they will be sufficient.

The new report shows how leaders can improve their understanding of cyber risks to quickly incorporate cybersecurity planning into their companies’ overall strategy.

The first step is to establish the principles to guide the behavior and choices of the counselors. When leading companies adapt common principles to practices, these practices can, in turn, become widely accepted standards that the business community expects. The ripple effect can be transformative.

The report outlines six principles:

1. Cybersecurity is a strategic business enabler;

2. Understand the economic drivers and impact of cyber risk;

3. Align cyber risk management with business needs;

4. Ensure organizational design supports cybersecurity;

5. Incorporate cybersecurity expertise into board governance; and

6. Encourage systemic resilience and collaboration.

These six principles are based on the certainty that cybersecurity is more than just an IT problem. For effective business decisions, organizational risk assessments must weigh the costs of cybersecurity against strategic objectives, regulatory and statutory requirements, results and the costs associated with managing this risk. More than half (55%) of the 3,249 business and technology/security executives interviewed for the PwC’s “Global Digital Trust Insights 2021” report are not confident that cyber spending is aligned with the most significant risks.

There are three crucial issues that councils should address:

  1. Does your organization apply a consistent framework for calculating the economic impact and the likelihood of cybersecurity events?
  2. Do business decisions consider the costs of compromising cybersecurity?
  3. Has your organization defined its appetite for cyber risk in the context of realistic vulnerabilities and the company’s strategic goals?

By focusing on how to address cyber risks (accepting, transferring, avoiding or mitigating them), organizations can build a security profile that aligns with business needs and their risk appetite. There must be a clear alignment between cyber risk management and business objectives in every facet of decision making, including mergers and acquisitions, business transformation, innovation, digitization, product development, market expansion, among others.

At this point, three other questions will need to be answered:

  1. Who is the “owner” of cyber risk in your organization? The business or the security team?
  2. Should all business units report key cyber risks?
  3. Is cyber risk considered in all significant business decisions, such as launching a new product or publishing an application?

It is worth remembering that designing internal governance that addresses cybersecurity also requires the assignment of roles, responsibility and KPIs for everyone in the company. Developing a 360-degree view of the organization is essential. Especially because cyber risks can arise from anywhere, including the company’s network of partners and suppliers. Although not common, attacks on the supply chain can destroy increasingly interconnected companies, causing significant damage.

A virtual village is needed to fight cyber crime. Recent events have taught us that even the best companies with a focus on cybersecurity can be compromised by a sophisticated actor.

In 2017, the NotPetya attack spread from a malware-infected system in Ukraine to paralyzing global transport and causing around $ 10 billion in damage to a wide variety of industries, from pharmaceuticals to construction, from personal care to food consumption.

In 2020, the malware was uploaded to much of the US federal government, including the Department of Defense, 425 Fortune 500 companies and several other companies worldwide, compromising an update installed by SolarWinds, a technology infrastructure provider based in the USA. The extent of the damage that is still likely to occur, or even the original purpose of the attack remain unknown.

Therefore, organizations must create an internal governance structure that addresses cybersecurity across the enterprise. Clearly defining the responsibility for critical actions and designing cybersecurity practices that consider how the company operates and makes decisions will be a must. As will answering other questions:

  1. When was the last time the company reviewed its organizational structure to ensure that cybersecurity was adequately represented in all departments?
  2. Who has the authority and responsibility to coordinate the cyber risk strategy across the organization?
  3. Does the board have the right relationships inside and outside the organization to develop its security knowledge?
  4. Do you collaborate well with your peers, including other board members, to increase cybersecurity for the industry as a whole?
  5. Does your organization interact with public sector counterparts to understand the resilience issues facing the sector?

Equipped with the right strategy, covering the centrality of cyber risk to conducting business in the 21st century, boards and their respective companies will be able to be more effective leaders in the future.