{"id":22738,"date":"2021-04-12T08:27:00","date_gmt":"2021-04-12T08:27:00","guid":{"rendered":"https:\/\/www.experfy.com\/blog\/biggest-mistakes-board-make-around-cyber-security\/"},"modified":"2023-08-26T11:53:48","modified_gmt":"2023-08-26T11:53:48","slug":"biggest-mistakes-board-make-around-cyber-security","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/iot\/biggest-mistakes-board-make-around-cyber-security\/","title":{"rendered":"The 3 Biggest Mistakes The Board Can Make Around Cyber Security"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The protection of the business from cyber threats is something you need to grow, not something you can buy<\/em><\/p>\n

The role of the Board in relation to cyber security is a topic we have visited several times since 2015, first<\/a> in the wake of the TalkTalk data breach in the UK, then in 2019<\/a> following the WannaCry and NotPeyta outbreaks and data breaches at BA, Marriott and Equifax amongst others. This is also a topic we have been researching with techUK<\/a>, and that collaboration resulted in the start of their Cyber People series and the production of the \u201cCISO at the C-Suite<\/a>\u201d report at the end of 2020.<\/p>\n

Overall, although the topic of cyber security is now definitely on the board\u2019s agenda in most organisations, it is rarely a fixed item. More often than not, it makes appearances at the request of the Audit & Risk Committee or after a question from a non-executive director, or \u2013 worse \u2013 in response to a security incident or a near-miss.<\/p>\n

All this hides a pattern of recurrent cultural and governance attitudes which could be hindering cyber security more than enabling it.<\/p>\n

There are 3 big mistakes the Board needs to avoid to promote cyber security and prevent breaches.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t

1-Downgrading it<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

\u201cWe have bigger fishes to fry\u2026\u201d<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Of course, each organisation is different and the COVID crisis is affecting each differently \u2013 from those nearing collapse, to those which are booming.<\/p>\n

But pretending that the protection of the business from cyber threats<\/a> is not a relevant board topic now borders on negligence and is certainly a matter of poor governance which non-executive directors have a duty to pick up.<\/p>\n

Cyber attacks are in the news every week and have been the direct cause of millions in direct losses and hundreds of millions in lost revenues in many large organisations across almost all industry sectors.<\/p>\n

Data privacy regulators have suffered setbacks<\/a> in 2020: They have been forced to adjust down some of their fines (BA, Marriott), and we have also seen a first successful challenge in Austria leading to a multi-million fine being overturned<\/a> (EUR 18M for Austrian Post). Nevertheless, fines are now reaching the millions or tens of millions regularly; still very far from the 4% of global turnover allowed under the GDPR, but the upwards trend is clear as DLA Piper highlighted in their 2021 GDPR survey<\/a>, and those number should register on the radar of most boards.<\/p>\n

Finally, the COVID crisis has made most businesses heavily dependent on digital services, the stability of which is built on sound cyber security practices, in-house and across the supply chain.<\/p>\n

Cyber security has become as pillar of the \u201cnew normal\u201d and even more than before, should be a regular board agenda, clearly visible in the portfolio<\/a> of one member who should have part of their remuneration linked to it (should remuneration practices allow). As stated above, this is fast becoming a plain matter of good governance.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t

2-Seeing it as an IT problem<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

\u201cIT is dealing with this\u2026\u201d<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

This is a dangerous stance at a number of levels.<\/p>\n

First, cyber security has never been a purely technological matter. The protection of the business from cyber threats has always required concerted action at people, process and technology level across the organisation.<\/p>\n

Reducing it to a tech matter downgrades<\/a> the subject, and as a result the calibre of talent it attracts. In large organisations \u2013 which are intrinsically territorial and political \u2013 it has led for decades to an endemic failure to address cross-silo issues, for example around identity or vendor risk management \u2013 in spite of the millions spent on those matters with tech vendors and consultants.<\/p>\n

So it should not be left to the CIO to deal with, unless their profile is sufficiently elevated within the organisation.<\/p>\n

In the past, we have advocated alternative organisational models<\/a> to address the challenges of the digital transformation and the necessary reinforcement of practices around data privacy in the wake of the GDPR. They remain current, and of course are not meant to replace \u201cthree-lines-of-defence\u201d type of models.<\/p>\n

But here again, caution should prevail. It is easy \u2013 in particular in large firms \u2013 to over-engineer the three lines of defence and to build monstrous and inefficient control models. The three lines of defence can only work on trust<\/a>, and must bring visible value to each part of the control organisation to avoid creating a culture of suspicion and regulatory window-dressing.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t

3-Throwing money at it<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

\u201cHow much do we need to spend to get this fixed?\u201d<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The protection of the business from cyber threats is something you need to grow, not something you can buy \u2013 in spite of what countless tech vendors and consultants would like you to believe.<\/p>\n

As a matter of fact, most of the breached organisations of the past few years (BA, Marriott, Equifax, Travelex etc\u2026 the list is long\u2026) would have spent collectively tens or hundreds of millions on cyber security products over the last decades\u2026<\/p>\n

Where cyber security maturity is low and profound transformation is required, simply throwing money<\/a> at the problem is rarely the answer.<\/p>\n

Of course, investments will be required, but the real silver bullets are to be found in corporate culture and governance, and in the true embedding of business protection values in the corporate purpose: Something which needs to start at the top of the organisation through visible and credible board ownership of those issues, and cascade down through middle management, relayed by incentives and remuneration schemes.<\/p>\n

This is more challenging than doing ad-hoc pen tests but it is the only way to lasting long-term success.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

The protection of the business from cyber threats is something you need to grow, not something you can buy<\/p>\n","protected":false},"author":529,"featured_media":19131,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[195],"tags":[871,945,943,462],"ppma_author":[3178],"class_list":["post-22738","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-iot","tag-board-support","tag-c-suite","tag-ciso","tag-cyber-security"],"authors":[{"term_id":3178,"user_id":529,"is_guest":0,"slug":"jean-christophe-gaillard","display_name":"Jean-Christophe Gaillard","avatar_url":"https:\/\/www.experfy.com\/blog\/wp-content\/uploads\/2020\/04\/medium_b55e5afa-fb86-428a-a054-3be0451df2a4-150x150.jpg","user_url":"https:\/\/www.corixpartners.com","last_name":"Gaillard","first_name":"Jean-Christophe","job_title":"","description":"Jean-Christophe Gaillard\u00a0is Managing Director and Founder at Corix Partners. He is also a Non-Executive Director with\u00a0Strata Security Solutions<\/a>, a specialized cybersecurity firm. He has been co-president of the Cyber Security group of the\u00a0Telecom Paris Tech alumni association<\/a>\u00a0since May 2016. He is the author of \u201cCyber Security: The Lost Decade<\/a>\u00a0\u2013 A Security Governance Handbook for the CISO and the CIO\u201d, He contributes regularly to\u00a0The Digital Transformation People<\/a>,\u00a0Business 2 Community<\/a>, and\u00a0IoTforAll<\/a>\u00a0platforms, as well as the\u00a0Business Transformation Network<\/a>. He is an expert contributor on the\u00a0CIO Water Cooler<\/a>\u00a0and has previously published articles on\u00a0InfoSecurity<\/a>\u00a0Magazine, \u00a0Computing<\/a>, the C-Suite.co.uk,\u00a0Info Sec Buzz<\/a>\u00a0and the\u00a0IoD Director<\/a>\u00a0websites."}],"_links":{"self":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/22738","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/users\/529"}],"replies":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/comments?post=22738"}],"version-history":[{"count":4,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/22738\/revisions"}],"predecessor-version":[{"id":31605,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/22738\/revisions\/31605"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media\/19131"}],"wp:attachment":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media?parent=22738"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/categories?post=22738"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/tags?post=22738"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=22738"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}