If directors realise their reputations and livelihoods are at stake, not to mention their companies’ share prices, might we expect to see rather greater concentration of effort in addressing this changing, very real menace? While some boards accept the cyber threat is real enough, many directors just hope catastrophe won’t strike on their watch. And women, who don’t seem to be taking an interest in the area, particularly need to view cyber security not as a technology and compliance issue, but as a core business risk and something which leaders need to embrace. We interviewed Robin Murray Brown, of executive search consultants Tyzack Partners, on how it is essential for boards to be proactive in the development of strategies to prevent cyber attacks and the resulting fallout.
“Is cyber security an opportunity or a threat for the leadership team?,” he asks. “The digital era is providing companies with unprecedented opportunities for expansion and leverage, matched only by equally fast-growing challenges in relation to corporate security. At an operational level, this has forced management to take a significantly more proactive approach to data and transaction security. The question now is whether it has sufficiently focused boards’ attention on the assessment and effective management of this area of strategic risk. “One of the biggest breaches was at a US company. It has so far cost Target an estimated $61 million in expenses, not to mention the effect on the company's sales and share price. It was the last nail in the coffin for the Chairman and CEO, ending a 35-year career with the company.
“But high-profile data breaches like this are just a blip on the corporate radar screen. In its 2014 Data Breach Investigations Report, American telecommunications giant Verizon revealed that more than 63,000 confirmed security incidents had taken place during 2013 within the Report's 50 contributing organisation from 95 countries. Over the past nine years Verizon, with the co-operation of partners across various industries and nations, has produced a series of these data breach reports.
“Today's cyber threat landscape is rapidly evolving and diversifying. As well as the danger from state-sponsored sources, who are often well-funded and extremely sophisticated, there are the so-called ‘hacktivists’, motivated often by little more than a sense of grievance or the curiosity to see what damage they can do. Protecting against objectives as varied as espionage, commercial competitive advantage, and quasi-anarchic disruptiveness makes responding to the threat a multi-layered challenge. “There is no industry or establishment that is immune. Even if an organisation is at the low-risk end of an external cyber attack, it does not rule out the possibility of insider errors and misuse that may damage systems and expose sensitive data. This has considerably raised the stakes in relation to corporate risk assessment and management.
“We are now living in a ‘connected era’ where the communications infrastructure is globally networked. The result is that IT risk and information security have become business issues rather than simply technical ones. Executives must, therefore, incorporate IT security and risk management in the corporate strategic plan, not just leave it to the CIO to include in the IT strategy. Boards will then be able to play a more effective role in addressing regulatory and compliance-related issues and HR a more supportive role in ensuring appropriately qualified staff are on board.
“The UK currently has one of the world’s largest internet-based economies, valued at £121 billion in 2010. This is equivalent to 8 per cent of the UK’s GDP, which is a greater share than for any other G20 country. However, according to staggering figures released recently from the UK's National Audit Office (NAO), the cost of cyber crime to the UK is currently estimated to be between £18 billion and £27 bn.
“It is essential that leadership teams play a more proactive role, so they must include executives who have a deep understanding of cyber defence tactics, security architectures and risk management. Much has recently been written about the growing demand for Chief Digital Officers and, in an increasing number of organisations, we are now starting to see another position being created in the C-Suite: that of Chief Security Officer (CSO). Although the position of Head of Security is not new, what has changed in this role is the scope of responsibility. Additionally, the Head of Security was never a board position, but with the increasing risk of cyber attack and the resulting implications for the company, the role has changed considerably, both politically and technically.
“On the IT side, issues the CSO will need to address (amongst others) relate to mobile, cloud computing, social networks and BYOD ('bring your own device' - the use of personal devices in the workplace such as smartphones). BYOD, particularly, has become a megatrend that is creating far-reaching security issues. While device security will remain a key issue, the growing challenge is with app/data security. Given that social network sites such as Twitter, Facebook and LinkedIn are increasingly being used by businesses, malware affecting these sites is potentially lethal. Individuals accessing infected video links and websites unknowingly place the corporate infrastructure – and the sensitive data stored on it – at risk.
“The political issues are an area the CSO is likely to be spending an increasing amount of time dealing with, since advancing technologies make it easier for employees, and even entire departments, to circumvent corporate security policy. Emails, for example, can be easily accessed by mobile phone so it makes it difficult for the company to rigidly enforce a security policy that prohibits this activity.
“The CSO not only needs to have a sound understanding of technology but also needs to be an analytical, strategic and creative thinker with a strong grasp of their business’s key drivers and culture. Effective risk management will require the CSO to engage with executives who may not be technically savvy, working with them to identify potential risks and putting appropriate security measures in place.
“Traditionally, business leaders have pigeonholed cyber security as an IT issue. Today, that is a recipe for disaster. Everyone in the organisation must be involved. HR needs to ensure employees understand the security policies, and recruit people with the specialist skills to protect the organisation from cyber attacks. CFOs and in-house legal teams need to make sure laws and regulations are complied with, and marketing must take cyber security into account when launching new products.
“Despite the dramatic increase in cyber attacks, there remains a shortcoming in board oversight of cyber security. Directors are not actively addressing cyber risk management and there is still a gap in their understanding of the link between IT risks and enterprise risk management. Cyber security is a broad corporate issue that has to be addressed at board level and all directors must, therefore, fully understand the risks if they are to competently deal with them.”
• For more information on women in cyber security, visit The Raytheon Women’s Network, at www.raytheon.co.uk
• The Women’s Security Society at www.womenssecuritysociety.co.uk
There is also the Cyber Security Challenge. Email firstname.lastname@example.org for further information.