{"id":2137,"date":"2019-12-16T02:36:51","date_gmt":"2019-12-15T23:36:51","guid":{"rendered":"http:\/\/kusuaks7\/?p=1742"},"modified":"2024-02-09T07:21:00","modified_gmt":"2024-02-09T07:21:00","slug":"cyber-security-revisiting-the-questions-the-board-should-ask","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/bigdata-cloud\/cyber-security-revisiting-the-questions-the-board-should-ask\/","title":{"rendered":"Cyber Security: Revisiting the Questions the Board Should Ask"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

One Board member must be in charge and their pay package must ride on it<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIn 2015, in the wake of the TalkTalk data breach which made a massive impact in the UK media and even got politicians involved, we first\u00a0explored<\/a>\u00a0the key questions the Board should ask in large firms around cyber security.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tWhat a difference 4 years can make \u2026 At the time, our line of thought was very much on making the Board understand exposure to cyber threats and what was being done to counter them, especially across the supply chain as the concept of a\u00a0hyper connected world<\/a>\u00a0bound by data and powered by emerging technologies was on the horizon.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAt the time, the McKinsey Institute was estimating that emerging technologies could create up to USD 20 trillion of economic value, out of which cyber threats could destroy up to 3. Although we have seen no update on this research and its eventual accuracy, it cannot be denied that cyber-attacks have intensified and have been widely reported across the last 5 years \u2013 from Sony in 2015 to CapitalOne this year, with Equifax, British Airways and Marriott reporting breaches in the last 12 months alone, and not discounting the wide-spread Wannacry \/ NotPetya virus outbreak of 2017, which impacted badly industrial and logistics giants such as St Gobain or Maersk.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tEquifax has now agreed to a USD 700M settlement for its 2017 data breach and the UK data privacy regulator is threatening British Airways and Marriott with nine figure fines under the UK equivalent of GDPR. So numbers are getting larger and larger and it is hard to imagine a Board member today in any large organisation who would be unaware of cyber threats.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tOf course, priorities may vary in line with economic conditions or the general health of the business, but \u201ccyber\u201d in on the agenda of all Boards, and consistently\u00a0rated<\/a>\u00a0as a top risk by many.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe last decade has undoubtedly be a decade of realisation for senior executives around cyber security: This is no longer about risk (things which may or may not happen) or compliance (boxes to tick and unnecessary bureaucracy): The \u201cWhen-Not-If<\/a>\u201d paradigm has changed the game.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAnd with it the focus of the Board has shifted towards execution, very often in exchange of significant investments in cyber security \u2013 in particular where initial maturity levels were low.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThis is no longer about understanding what\u2019s being done against cyber threats, it\u2019s about getting it done, and getting it done now.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tSo frankly, our 6 questions from 2015 now boil down to 2, in particular where a large programme of cyber security transformation is needed:\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Who is in charge?<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tA Board member must take direct accountability and responsibility for the security transformation programme delivery. Period.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThis is no longer about wheeling in the CISO twice a year. This is about getting clear and accurate reports on progress at each meeting, in return for the large investments consented.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tSo one Board member must carry the can. Preferably one closely associated with the operational challenges involved \u2013 not the Head of Risk or (with respect) the Head of HR\u2026\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThis is not about knowing which head will roll at the next breach but giving the initiative the right profile: Any large-scale security transformation programme can only be complex and transversal. In global firms, the international aspects could add a considerable dimension to the task. Without the credible and visible backing of the most senior sponsor, chances of success are significantly diminished.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAt the same time, the task must convey a degree of accountability, and must become a factor in determining the compensation level of the Board member in charge \u2013 in stock and in cash and with retrospect. The\u00a0situation<\/a>\u00a0which has surrounded the ousted CEO of Equifax will not be tolerated much longer by consumers, citizens or politicians, and can only breed adverse sentiment against the corporate world and further regulation.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

What are we doing about it?<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tHere, it is time to go back to the monitoring of good old-fashioned milestones against the deliverables of the programme of work.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tWhat was meant to be done last month and did it get done? No need for convoluted \u201creturn-on-security-investments\u201d discussions or fuzzy risk models.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tOf course, the detailed tracking of achievement should be done downstream from the Board, in particular for large, complex or global programmes.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tBut the consolidated results should be clear, concise and factual and delivered in person by the Board member in charge.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThose 2 actions \u2013 personalisation and factualisation, underpinning a drive towards clarity and simplicity \u2013 will bring results over time, but here lies the main challenge for many Boards and their members:\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThinking over the mid to long-term and keeping steady orientations in the face of potentially changing business conditions is necessary to the success of any complex cyber transformation programmes because of their inherent transversal complexity (and also because in many cases, this is about catching up in a few years over 15 years of lip service or under investment).\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe Board must be capable of driving a long-term vision for all this to work, even if \u201cin the long-term, we\u2019re all dead\u201d \u2026\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

It is hard to imagine a Board member today in any large organisation who would be unaware of cyber threats. Of course, priorities may vary in line with economic conditions or the general health of the business, but “cyber” is on the agenda of all Boards, and consistently rated as a top risk by many. The focus of the Board has shifted towards execution, very often in exchange of significant investments in cyber security, in particular where initial maturity levels were low.<\/p>\n","protected":false},"author":529,"featured_media":3059,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[187],"tags":[95],"ppma_author":[3178],"class_list":["post-2137","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bigdata-cloud","tag-big-data-amp-technology"],"authors":[{"term_id":3178,"user_id":529,"is_guest":0,"slug":"jean-christophe-gaillard","display_name":"Jean-Christophe Gaillard","avatar_url":"https:\/\/www.experfy.com\/blog\/wp-content\/uploads\/2020\/04\/medium_b55e5afa-fb86-428a-a054-3be0451df2a4-150x150.jpg","user_url":"https:\/\/www.corixpartners.com","last_name":"Gaillard","first_name":"Jean-Christophe","job_title":"","description":"Jean-Christophe Gaillard\u00a0is Managing Director and Founder at Corix Partners. He is also a Non-Executive Director with\u00a0Strata Security Solutions<\/a>, a specialized cybersecurity firm. He has been co-president of the Cyber Security group of the\u00a0Telecom Paris Tech alumni association<\/a>\u00a0since May 2016. He is the author of \u201cCyber Security: The Lost Decade<\/a>\u00a0\u2013 A Security Governance Handbook for the CISO and the CIO\u201d, He contributes regularly to\u00a0The Digital Transformation People<\/a>,\u00a0Business 2 Community<\/a>, and\u00a0IoTforAll<\/a>\u00a0platforms, as well as the\u00a0Business Transformation Network<\/a>. He is an expert contributor on the\u00a0CIO Water Cooler<\/a>\u00a0and has previously published articles on\u00a0InfoSecurity<\/a>\u00a0Magazine, \u00a0Computing<\/a>, the C-Suite.co.uk,\u00a0Info Sec Buzz<\/a>\u00a0and the\u00a0IoD Director<\/a>\u00a0websites."}],"_links":{"self":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/2137","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/users\/529"}],"replies":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/comments?post=2137"}],"version-history":[{"count":4,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/2137\/revisions"}],"predecessor-version":[{"id":35915,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/2137\/revisions\/35915"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media\/3059"}],"wp:attachment":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media?parent=2137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/categories?post=2137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/tags?post=2137"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=2137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}