Directors and executives can no longer afford to pay lip service to cyber risk
Cyber risk has rocketed to the top right corner of several corporate risk profiles. As a result, most corporate directors now acknowledge the inescapable reality that if they fail to bake cybersecurity into their critical business lines, such negligence will invariably erode brand equity, materially impact the bottom line and dent their legacies. However, without clear guidance on how business leaders can create high-impact, focused cybersecurity strategies, the idea of cyber resilience remains a distant dream for many enterprises.
Faced with a barrage of high-profile data breaches, some business leaders now harbour deep-seated reservations that cyber threat actors are undeterrable and cyber resilience is unachievable. Inside boardrooms, there is a significant amount of justified frustration. Most leaders feel like passengers on a runaway train that the driver can neither control nor stop. But this ought not to be so. As I wrote in my bestselling book, The Five Anchors of Cyber Resilience, getting this right is less about constantly buying bleeding-edge tools but having a robust cyber resilient culture underpinned by highly intentional governance and oversight mechanisms.
In short, cyber-resilient enterprises acknowledge that board oversight and C-suite leadership are essential to driving any transformational change and that cybersecurity is no exception. Their most senior business officers and the board of directors provide unwavering support for cybersecurity programs. They role model expected behaviours, uphold the virtues of their cyber risk appetite, and embed cyber-risk governance into their enterprises' bloodstream. They make cyber resilience an inevitable and inconspicuous part of strategic and operational decision-making and, as a result, foster transparency and accountability. Granted, every enterprise is different; there is no universally right cybersecurity strategy, but here are six proven pillars of an effective cyber governance environment.
Establish a cross-functional cyber risk governance committee
1. A dedicated, cross-functional cyber-risk governance committee, comprised of senior executives, exists to provide unwavering support to the CISO and the cyber resilience transformational agenda and ensure that the business is not exposed to risks outside its determined risk tolerances. When we interviewed dozens of cyber leaders who go through our Cyber Leadership program, there were varying views pertaining to who should chair the cyber risk governance committee.
In the end, we agreed that if the CEO, in his or her capacity as the linchpin of management, chairs the cyber risk governance committee, sends a strong message across the ranks that the organization takes cybersecurity seriously. Such a move sets a strong foundation for a robust cyber resilience culture to thrive. Alternatively, the committee can be chaired by the CISO or any other business executive who gets cyber risk and has sufficient organizational clout to drive transformation. The effectiveness of the committee depends on the commitment of senior executives. It's a very bad sign when the CFO starts delegating the Finance Manager to attend this forum.
Empower the CISO
2. The CISO is an empowered business executive with the authority to confidently veto business decisions that violate the enterprise’s policies or risk appetite. Also, the CISO has direct access to the board, enabling corporate directors to ask challenging and precise questions and for the CISO to embed board perspectives into strategic cybersecurity initiatives while considering their top business priorities and most pressing concerns. Channelling cyber board reports through business executives can impede transparency or dilute important messages. As an industry, we still have a long way to go here. Most CISOs feel like glorified techies; they have zero access to the CEO, let alone the board, feel like their messages often hit concrete walls and report through into a technical role.
Inform the board using business centred metrics and commentary
3. The CISO engages powerful storytelling techniques to enlist the board's buy-in by rigorously linking cyber risk to its mission, value chain, strategic priorities, risk appetite and regulatory environment. The CISO must have a strong disclination from using technical vocabulary that makes them sound educated by badly dents their credibility. To drive change, CISOs must pitch cybersecurity as a growth advantage and in the language of the business: Money. Equally important, board reports must be accompanied by clear-cut cyber risk metrics centred in most valuable digital assets (crown jewels), informing the board of all critical blind spots and the effectiveness of non-negotiable controls.
Educate executives and directors on cyber risk and its implications
4. Granted, cybersecurity is a complex and expansive subject. To fully exercise their governance responsibilities, board members and executives formally pursue cyber resilience education to contribute and challenge the cyber resilience program positively. That's why we created the Executive Cyber Resilience Program - to help non-technical business leaders accelerate their cyber strategy design and governance skills. The short and intensive enterprise online program goes beyond the fundamentals of cyber resilience, equipping you with practical skills to actively participate in cyber resilience strategy design, as well as exercise your cyber-risk governance responsibilities. The argument that board members must not educate themselves on cyber risk is both tired and dangerous. Corporate directors need to acquaint themselves with cyber risk in the same way they need to grasp the fundamentals around cash flow, mergers and acquisitions, regulatory compliance and CEO succession.
Implement a robust independent cyber risk assurance framework
5. No matter how great your cyber resilience strategy is, it’s bound to get better when independently challenged. An effective cyber resilience governance framework includes a detailed assurance program comprising internal audits, deep-dive technical reviews, red teaming, threat hunting, penetration tests, etc. The objective of these reviews is to pressure-test critical controls and adapt the cyber resilience strategy accordingly. The Cyber assurance strategy must be tightly linked to top business priorities, areas of highest risk and crown jewels.
Know you're ready
6. My industry colleagues often ask: Why so much emphasis on cyber resilience, not cybersecurity. The answer is simple: No amount of defences insulates an enterprise against well planned and sophisticated digital intrusions. The evidence is as clear as day; think of FireEye, RSA, NSA, and an endless list of other cyber Goliaths that succumbed to damaging hacks. A robust cyber resilience governance model, therefore, considers several response measures, including (1) purchasing cyber insurance to cover both internal and external losses resulting from a cyber-attack, insulating the business from plausible, high-impact cyber breach scenarios (2) ongoing cyber response drills, attended by members of the cyber risk governance committee to simulate high-impact and most plausible breach scenarios (3) purchasing cyber response retainers to gain immediate access to skilled cyber threat responders and forensics experts in the event of the inevitable.
Please use the comments section below to share your own experiences fixing cyber governance issues
Here are some practical ways we can help at the Cyber Leadership Institute
1. We are on a mission to build 10 000 cyber leaders by 2025. Our globally-acclaimed Cyber Leadership Program has equipped cyber leaders / CISOs from more than 25 countries with proven strategy design, governance, leadership, communication, and stakeholder management skills to sharpen their influence on the c-suite and the board.
CEO and Co-Founder
Phil is an experienced head of cybersecurity, strategic advisor, author, and public speaker. He is the Amazon best selling author of The Five Anchors of Cyber Leadership, a practical cyber strategy book for senior business leaders. 2017 winner of ISACA International’s Michael Cangemi Best Book/Article Award, for major contributions in the field of IS Audit, control and security.
Chairman and Co-Founder
Darren is an accomplished executive with close to 20 years international cyber risk and security experience and broad expertise in providing hands-on leadership, strategic C-level/board direction and programme execution. He was named in the top 100 Chief Information Security Officers globally in 2017 and the top 100 Global IT Security Influencers in 2018.
COO and Co-Founder
Jan is a well-known veteran of the IT and cybersecurity industry. He is an independent cyber security strategy advisor to Boards and Executives. Jan was previously partner at a Big 4 professional services firm for more than 25 years, leading cyber security consulting projects for large global organizations.
2. We created the Cyber Leadership Hub, an online repository comprised of hundreds of fully customizable strategy decks, executive briefs, templates, policies, blueprints, methodologies and several other high-quality toolkits. These toolkits help cyber leaders accelerate budget approvals and create high-value strategies and unforgettable board presentations.