- Posted: Wednesday November 24 2021 9:49 AM
There are growing calls for boards to take strategic direction on cybersecurity and resilience. Yuval Baron explains why it is important to have the C suite on board and what the actual buying of frames looks like.
According to a report released earlier this year by McKinseyIt has always been companies in regulated sectors, such as banks and insurance companies, that have prioritized cybersecurity at the board level.
However, other industries still lag behind in terms of technical representation at the senior management table. CIOs and CTOs, as well as managers with other IT backgrounds, make up a small margin of leadership on the board globally.
In a survey conducted by Harvard Business Review, more than a third of respondents indicated that they strive to stay abreast of risk and security issues and new technologies while only 13 percent of boards sought technology expertise with their most recent director search. The result is an imbalanced glut of directors with financial and managerial skills, but no technical skills.
So why is it so important to have the C-suite integrated with cybersecurity?
It has become increasingly difficult to sit at the helm of a business and not assess the risks that exist both physically and virtually. The implementation of measures against cyber risks cannot replace informed decision-making at the executive level either. The point is, cyber attacks pose an almost existential threat to any business. In 2020, breaches exposed more than 37 billion records – the highest number of records exposed in a single year. The balance between an attacker and a defender is asymmetrical: an attacker who fails in 99% of the attacks and succeeds in only 1% of the attacks succeeds. A defender who fails in 1% and succeeds in 99% of attacks fails.
Previously, the task of understanding and quantifying cyber risk fell to CISOs and their IT teams, who primarily dealt with the technical side of the problem. The objective was to take stock of the defenses / defenses established and to determine how vulnerable the systems were. But the problem is that this is a largely retrospective approach, and it does not take into account the layered defenses put in place by organizations, including efforts to intentionally deceive hackers who attempt to deceive them. ” study their weaknesses, as well as the risks of insider threats and accidental misconfigurations.
This traditional approach isolates cybersecurity decisions from the companies they are meant to serve. While technical assessments may be sufficient for technical managers, they do not always provide a risk-based, holistic, and validated view that takes into account the financial and business impacts of cybersecurity. Additionally, not all reports capture a company’s governance, culture, decision-making practices, or the broader treatment of a company’s cyber risk profile.
Administrators need to understand all of this if they expect to make informed decisions about, for example, where to allocate capital to improve cyber defenses and how to understand the business impact of cyber threats, instead of investing in different departments.
Digital transformation accelerates the need
This does not mean that all executives should become technical experts. This means that they must be able to establish the company’s tolerance for cyber risk, define the most important outcomes to guide investments in cybersecurity, and be able to foster a culture of cybersecurity and of resilience.
In the past, CTOs and CIOs were more likely responsible for back office outsourcing, procurement, and standardization. Fast forward to today and these positions are increasingly helping to chart the course for long term business strategy.
One of the reasons is digital transformation. According to Gartner, digital transformation encompasses everything from IT modernization to the invention of entirely new digital business models. In the modern world, networks are spread across multiple public clouds and data centers, which increases complexity.
With this comes the need to constantly review, update and improve the use of digital technologies to solve business challenges. This reliance on digital technologies and business models poses new challenges as companies need to understand the implications of cybersecurity holistically across the entire hybrid network and ensure that cybersecurity is an accelerator, not a hindrance, to digital transformation.
So what can C-suites and boards do to meet these growing needs?
Getting leaders on board is more than showing them tons of code and technical specifications. Threats and opportunities need to be translated into business language so that non-technical board members can understand the real negative results of attacks caused by inaction. This includes the financial and reputational costs and the expected return on investment.
At a minimum, CTOs and CIOs should be more visible at the board level. However, to truly execute a digital transformation strategy, executives at all levels must have the digital skills to drive the agenda across an organization and move cybersecurity from an abstract problem to a substantial problem.
Yuval Baron is CEO and co-founder of AlgoSec.