Increased digitalisation equals increased threats. Cybersecurity experts Thomas Parenty and Jack Domet describe a framework for board members to approach their responsibilities in this area
Many directors have told us that cybersecurity is daunting, if not overwhelming. They feel as if they’re making investment decisions without reliable data and do not fully understand the capabilities of cybersecurity technologies.
Further, many think that the learning curve is too steep. Others say they don’t know what questions to ask about cybersecurity and cyber risk—or what constitutes a good answer. Often, they are left to rely on broad statements from cybersecurity or IT management along the lines of “We are OK over here, but need work over there.” Technology-knowledgeable management might have cybersecurity covered, but the suspicion lingers that they may not.
It doesn’t have to be this way. You can make improvements simply by fulfilling your governance and oversight duties. Cybersecurity oversight is similar in concept to the “observer effect” in quantum physics, where the observation of an event changes its outcome. Your requests for information motivate your company to pay attention to relevant dynamics and perform necessary analyses that it would not have done otherwise.
Your assumption of cybersecurity responsibility need not be an arduous burden. In spite of the general perception that cybersecurity is complex and impenetrable, our experience shows that its governance and oversight do not require an extensive technical background. While an increased understanding of cybersecurity issues is clearly important, you do not need a deep understanding of cybersecurity to lead your company. Pursuing a formal cybersecurity education would provide limited benefits, and be time consuming and impractical. In the natural course of your board activities, you will gain the needed familiarity with cybersecurity issues.
To assist you, we have developed a framework called “digital stewardship,” which comprises four principles, three responsibilities, and a collection of aide-memoires. The principles provide concise points of reference to guide you in your cybersecurity deliberation and decision making. The three responsibilities address your company’s most important cybersecurity undertakings and give you the foundation for oversight. By adopting the digital stewardship framework, you will know how to be a cybersecurity leader, what you should ask of your company, and how to understand and interpret the information it provides you.
- If you do not understand it, they did not explain it. Digital management and staff within a company are responsible for providing their board of directors with materials and briefings that non-specialists can understand.
- It is the business at risk. All discussions and actions relating to cybersecurity and cyber risks start and end with the business and the risks to its operations and strategic direction, not with computers and their vulnerabilities.
- Make cybersecurity mainstream. In both corporate organisation and activities, take cybersecurity from siloed functions and incorporate it into mainstream operations.
- Engage motivation. Understand and align the interests and motivations of staff and departments to incentivise behaviour that leads to accomplishing cybersecurity goals.
You might find interesting: Meeting the challenge of digital transformation
Manage Cyber Risks
The most significant cybersecurity responsibility is the management of cyber risk. All other responsibilities both support cyber risk management and depend on a clear understanding of the business impact of cyber incidents. Effectively managing cyber risks requires that you clearly understand the relationships among the most significant business risks a company faces, the types of cyber attacks that could cause these risks, and the mitigating controls to prevent or minimise their impact. Ensuring the effectiveness of the controls includes recognising and accounting for the nontechnical dynamics that can negate even the most powerful technologies.
Fortify the Company
Companies can substantially improve the overall effectiveness of their cybersecurity activities by utilising the tools of organisational structure, processes, and culture, while accounting for employee motivations and incentives. The process of discovering new cyber risks will answer the questions, “How secure are we now?” and “How secure will we be tomorrow?”
The placement of the cybersecurity group and an understanding of the cyber expertise that boards need—and do not need— can improve the effectiveness of both. Further, a shift in thinking about accountability can unlock valuable information that is essential for informed board and executive decision making.
Lead in Crisis
While a company should not neglect preventative and defensive measures, it needs to be ready for a cyberattack-induced crisis. This readiness entails prior planning, preparation, and coordination in two distinct, but related areas.
First, a company needs the capacity to recognise and respond to cyberattacks, which includes a skilled cyber response team and the procedures it should follow. Second, the executive team must prepare to lead the company during a cyber crisis, which includes how to treat the situations it will face and what decisions it will make during a crisis.
By using information and materials already developed in the process of cyber risk mitigation, executives can think about their course of action before a cyber crisis hits.
Reprinted with permission from Harvard Business Review Press
All Rights Reserved
Extracted from: A Leader’s Guide to Cybersecurity: Why Boards Need to Lead and How to Do It
Thomas J. Parenty and Jack J. Domet
Harvard Business Review Press, 2020.