[Column] Patrick Evans: Governing cybersecurity from the top as a strategic business enabler
Cybersecurity breaches pose a major business risk and can no longer be viewed as a technology concern. Business leaders agree on this point according to Gartner’s 2022 Board of Directors Survey which found 88% of respondents viewed cybersecurity as a business risk. However, only 13% of boards have responded by instituting cybersecurity-specific board committees overseen by a dedicated director. In some instances, it may be the case that directors are not always completely aware of their duties and liabilities concerning cybersecurity oversight. It is also the case that many industries have been slow to adopt a security-first approach to their operations.
In the same way that boards are tasked with ensuring appropriate financial governance and due diligence, cybersecurity is part and parcel of carrying out fiduciary responsibility to shareholders and managing business risk. Cyberattacks do not simply take down a website. They can completely shut down business processes and, worse still, hold a company’s entire IP or customer database for ransom. According to the World Economic Forum’s (WEF) 2022 Global Cybersecurity Outlook report, the average cost to a business from a cybersecurity breach is around $3.6 million. The same report also found that over and above the financial implications, a breach can affect the average share price of a hacked organisation up to six months after the event.
For years, cybersecurity professionals have understood that a sound cybersecurity strategy is simply good business strategy. Now, the cybersecurity gap between operating managers and C-Suite executives may finally be closing. In March of 2022, the United States Security and Exchange Commission proposed a set of new rules that could significantly increase public companies’ reporting of both cybersecurity breaches and the steps executive management and boards have in place to mitigate cyber risk. The SEC’s proposals raise important considerations for businesses across the globe regarding management reporting, and even how boards should be structured and organized in the very near future.
At a minimum, in the aftermath of a breach top management should be able to address the following:
1. Are they confident that the incident is fully contained?
2. Do they know how attackers got in? What was exploited?
3. Do they have adequate controls (preventative and detective) to ensure it won’t happen again?
With the massive increase in the number of threats facing organisations and the uptick in ransomware, cyber risks need to be managed strategically. Research bears out the fact that it doesn’t pay to pay ransomware attackers. A 2022 survey of cybersecurity professionals across multiple sectors found organisations that paid ransomware were targeted again, sometimes less than a month later, for an even higher sum. This means C-Suite executives and boards should focus their efforts on solid detection and prevention measures to contain attacks before data and critical systems are in serious jeopardy. Of course, it is impossible to eliminate risk entirely, but organisations can significantly decrease their chances of becoming repeat victims by executing the right strategies before an attack happens or remediating it right the first time before another one strikes.
It’s evident that people and organisations want to engage with businesses that are secure and that the pendulum of purchasing power will land in favour of businesses that take the ever-present threat of being compromised seriously. In a digitally connected world, organisations are now making sure companies are secure by design before signing the dotted line. The other side of the same coin is that businesses which are secure by design now have a built-in sales and marketing advantage that will win them contracts in new markets and the lion’s share of contracts in existing markets – placing cybersecurity firmly in the territory as a business enabler and well beyond the current, reluctant view of it being a necessary cost.
While regulation may force the hand of boards and executive directors, it would be unwise to wait for such an eventuality – especially when there are steps that can be taken today to ensure organisations become more effective, resilient, and forward-looking. The last straw for complacency in the form of a breach or attack is really only a matter of time.
The first and most crucial step for executive-level management is to view cybersecurity as a strategic business enabler. This shift in approach can empower a business to achieve long-term sustainability and the confidence to pursue innovation and new areas of growth. With an understanding of the economic drivers and impact of cyber risk, executives can better and more carefully align cyber risk management with business needs. And, by incorporating cybersecurity expertise into board governance, businesses can ensure organisational design supports cybersecurity.
Patrick Evans is the Chief Executive Officer of SLVA Cybersecurity.