Key factors for boards and executive management to consider in 2019 around cyber security and privacy
Cyber security has risen as a key issue on the radar of virtually all organisations. As a recent AT Kearney report suggests, cyber-attacks have been topping executives’ lists of business risks for three straight years. In fact, the overwhelming majority of organisations have experienced some form of cyber-attack at some point over the past few years.
This concern is also driven by security and privacy becoming increasingly valued by customers and the media, and by regulators who are now stepping into the topic with the ability to impose business-threatening fines (GDPR in Europe, California Consumer Privacy Act of 2018). In parallel, the cyber risk landscape is ever-complexifying – with new technologies such as AI bringing at least as many new threats as they bring opportunities to improve cyber security.
In this new age of “when-not-if” around cyber-attacks, it is worrying to see so many large organisations still struggling with the delivery of cyber security initiatives. Maturity levels on the topic have remained dangerously low, and in fact, the same AT Kearney study found that more than 60% of surveyed firms had not yet fully developed and implemented cyber defence strategy. Their findings echo those of many firms and research bodies year after year and the situation appears rooted in decades of short-sighted adverse prioritization of cyber security issues. It has also engineered a talent alienation dynamics which only reinforces the problem.
The Board is ultimately accountable for cyber resilience and the only way out of this dire situation can only come from the board down. To that end, it is crucial that cyber security stops appearing periodically at the board-level only as a check-box exercise or after an incident, – but instead starts anchoring itself at that level and informing every other strategic decision.
A way to achieve this could be to frame cyber security as a formal and integral part of a company’s Environmental, Social and Corporate Governance (ESG) strategy, and this is the proposition the Security Transformation Research Foundation analyses in its latest White Paper.
Cyber security is crucial in helping organisations create and protect value – an aspect increasingly backed up by data models. Beyond this straightforward argument, however, security is also becoming a key social and governance topic for all organizations.
Cyber security has obvious and deep links to issues of privacy and the protection of personal data, and as such is necessarily becoming a key enabler to any organisation’s social responsibility initiative. This is especially important as digital trust is likely to become an organisation’s most valuable asset – irrespective of the direction in which data-driven business models evolve in the years to come.
Those new security and privacy imperatives also require a significant rethinking of corporate governance frameworks. As organisations cannot do whatever they want with the data they collect anymore, cyber security and data privacy considerations must start to infuse daily business operations and decisions. Crucially, the challenge of executing such transformation is itself a key governance issue, as cyber security is first and foremost a human and cultural problem (despite what tech vendors would like us to believe).
As every enterprise is becoming more and more data-driven, it is key for the Board to realize that cyber security is becoming a central tenet both of its core business and of its social impact and governance strategies. This should the basis on which the cyber security imperative is cemented at Board level. Right where it always belonged.
Read the full white paper here