Executive support requires demystifying the cyber security message
Executive support matters now more than ever
History has taught us that senior business officers are ultimately held accountable for managing vital business risks. High profile examples abound. In 2006 Jeffrey Skilling received a 24-year prison sentence following Enron’s massive accounting scandal and ensuing bankruptcy. In 2010 Tony Hayward was dismissed from BP following the drilling rig disaster that extensively contaminated the Gulf of Mexico. Then in 2014, Gregg Steinhafel resigned as the CEO of Target after the massive data breach fallout.
Cyber security has become a crucial and broad business issue with far-reaching strategic, operational, and regulatory impacts. Accordingly, boards of directors and executive management can no longer afford to completely delegate cyber risk to middle management.
Executive leadership over this potent risk matters now more than ever. And this is not just about protecting their careers. It’s essentially about fulfilling their core mandate: Providing strong leadership support and rigorous checks and balances to ensure their organisations create and sustain long-term shareholder value.
The stakes couldn’t be any higher; cyber crime is costing the global economy more than $USD 500 billion annually, and the costs are soaring. This is bigger than the gross domestic product of 82 combined economies. And If Mckinsey got it right, cyber security risk will cost the global economy as much as $3 trillion by 2020 from delayed technological innovations such as big data and mobility[i].
No individual, business or civilian institution is immune to this risk. Cyber-criminals have targeted energy companies with meticulous precision, paralysing critical infrastructure and sending thousands of households into darkness. These malefactors have also crippled central heating systems, forcing occupants to endure terribly cold Scandinavian nights. They have also crept into high-tech firms undetected, and swiped high-value intellectual property worth billions of dollars, which took years of research to develop.
Long story short, the bad guys have virtually hacked into any system connected to the internet. In fact, not a week passes without another mammoth cyber attack making the headlines.
The ides of March
"Beware the Ides of March," a soothsayer warned Julius Caesar in Shakespeare’s tragic play. The soothsayer’s message was consequential. A group of conspirators, including Brutus and Cassius, would assassinate the Roman ruler on March 15, in the year 44 BC – and Caesar had better be on guard. But this important message was shrouded in obscurity. Accordingly, Caesar sarcastically dismissed the soothsayer, declaring, “He is a dreamer; let us leave him.” The ides of March would indeed be a terrible day for Caesar, he was stabbed 23 times.
Boards of directors now widely appreciate the significance of cyber risk, and are seeking deeper insight into cyber security issues and their business implications. Supporting this view, the 2016 PwC’s Annual Corporate Directors Survey revealed that 65% of public company directors want additional time and focus on IT risks like cybersecurity. These results prove that those charged with governance are genuinely keen to play their part.
But despite the significance of the cyber security message and growing enthusiasm from senior executives, a serious obstacle exists. Like the soothsayer in Shakespeare’s play, cyber security professionals often provide highly ambiguous cyber security reports, accompanied by low level, detailed metrics to senior business executives. This leaves them frustrated or unclear about key threats targeting their businesses, strength of existing defences or required investments. Most business leaders have long perceived cyber-security as too complex. The excessive use of security jargon – some unfathomable even to other technology professionals - further reinforces their opinion.
A wide range of cyber security metrics now exists, including vulnerabilities, misconfigurations, and threat intelligence, but translating these into useful knowledge for business leaders remains a significant challenge. No wonder that 91% of the directors polled by NASDAQ and security firm Tanium in 2016 conceded that they don’t understand cyber-security reports.
Closing the expectations gap
To address this enduring challenge, we should raise our game, move away from numbing cyber security vocabulary, and learn to speak the language of the business. Boards of directors have very limited time at their disposal, and are not comfortable discussing ISO 27 001 or NIST standards. Rather, they are concerned about how cyber risk will impact new product success, business growth, cost of capital, innovation, customer trust, profitability, or other crucial business priorities.
Tightly linking cyber risk to corporate objectives requires an in-depth understanding of business operations, value chain, strategic priorities, risk appetite and regulatory environment. Another approach is developing provocative story telling skills to bring the cyber-security subject to life, and persuade the board and executive management into action. Risk maps and detailed metrics are not enough, as Harrison Monarth wrote in the Harvard Business Review (HBR), “data can persuade people, but it doesn’t inspire them to act; to do that, you need to wrap your vision in a story that fires the imagination and stirs the soul”.
Executive engagement in cyber security has never been so imperative. And this is more than just spending millions of dollars on new technologies. Effective leadership includes role modelling, active participation in cyber drills and holding managers accountable for maintaining robust cyber security controls. It also requires business leaders to embed cyber security into vital business processes, such as product development or acquisitions.
For long, we have advocated for greater business visibility and influence. But we also need to play our part, particularly by articulating this crucial business risk in ways the business can understand and relate to.
[i] Kaplan, James M.; Bailey, Tucker; O'Halloran, Derek; Marcus, Alan; Rezek, Chris. Beyond Cybersecurity: Protecting Your Digital Business (Kindle Locations 551-553). Wiley. Kindle Edition.