Security professionals know that cyber-attacks will invariably penetrate their organizations, and that appropriate cybersecurity strategies must focus on detection, damage limitation, and remediation. Ensuring that such a strategy is in place, and closely monitoring the response of the organization to cyber-threats, is a board-level responsibility, and though it now registers higher on the priority list for senior executives, I believe the time has come for regulation as part of corporate governance to ensure that every company is taking sufficient action.
The level of cyber-risk has reached a point where it represents a continuous threat to the health of the organization, and board members must understand the potential impact of attacks on the company in areas including its operations (both physical and online), staff, reputation, and financial standing. There must be a close relationship with the chief information security officer (CISO) or their equivalent, with regular communication on investment in security defenses, the response plans that are in place, security awareness and training, the current level of threat, and details of significant incidents.
There is no doubt that boards are now taking these issues more seriously, driven in large part by regular and repeated evidence of cyber-attacks and their consequences. In the US, the SEC commissioner noted that boards of the largest enterprises are almost all now taking responsibility for oversight of cyber-risk management; in the UK there has been strengthened guidance from government to boards on these issues; and in many countries there is increased transparency and sharing of security intelligence.
However, when a significant cyber-attack does get through, it is rather akin to a baring of the corporate soul (particularly now that the reporting of these incidents is mandated), and it's clear from the majority of such cases that there continue to be major failings in both the state of readiness and the plan for response.
Handling of cybersecurity matters is delegated to the audit committee in some enterprises, or to a specialist subcommittee in others, but ultimate responsibility lies with the main board and its directors. I believe it is now time for the board to publish a more formal summary of its cyber-risk preparations and oversight, as part of its annual reporting. This should demonstrate that the board has considered the range of risks and their possible consequences, has ensured that there are sufficient expert resources and capability investment to address these risks, and is undertaking regular reviews of the risk landscape and testing the organization's readiness to respond.
While it is certainly no panacea against cybersecurity incidents, such regulation should encourage organizations to follow good practice in their cybersecurity preparation and give stakeholders greater visibility and assurance into what is potentially the greatest risk that faces every enterprise.
Straight Talk is a weekly briefing from the desk of the Chief Research Officer. To receive this newsletter by email, please contact us.