-
Cyber threats pose some of the biggest challenges, but cybersecurity failure is still viewed as a significant short-term risk.
-
The lack of ‘cyber security readiness’ leaves companies vulnerable and at risk of major disruption in terms of cyberattacks.
-
Board members should actively embed cyber security risk management above and demand cyber risk indicators are presented in financial and economic terms.
However, cybersecurity failure is still considered a significant short-term risk, according to the report, and high-value companies are frequently breached, with a significant negative impact on their performance.
Companies are increasingly vulnerable to a lack of ‘cyber security readiness’ and are therefore prone to ongoing phishing attacks, which expose vulnerabilities in systems such as stolen passwords or unprivileged servers.
80% of firms have faced cyber security breach
recently Acronis. study by showed that 80% of companies faced cyber security breaches over the past year, an increase of 68% from the previous year.
Meanwhile, 9% of companies experienced at least one cyberattack per hour, indicating a current high level of risk.
This indicates that organizations are vulnerable to cyber attacks on their businesses, yet most lack promptness in response, which does not equal the increasing sophistication of attackers.
Most executives and board members are aware of major global cyber threats and recognize cybersecurity risk as an enterprise-wide risk, but not everyone understands the impact of these cyber risks and their economic drivers.
It is therefore imperative for organizations to implement capabilities to strengthen cyber resilience and for board members to play an active role in leading this change.
Boards must prioritize cyber risks in planning
In this context, the World Economic Forum in collaboration with the National Association of Corporate Directors and the Internet Security Association published Board Governance Principles of Cyber Risk report in 2021
This report describes six principles that can help the Board of Directors in cyber risk governance which are: Cyber security as a strategic business enabler; understand economic factors and the impact of cyber risk; Aligning cyber-risk management with business requirements; Ensure that the organizational design supports cyber security; Incorporate cyber security expertise into board administration; and encourage systemic resilience and collaboration.
The fourth principle, “Ensuring that Organizational Design Supports Cyber Security” highlights the need to look at cyber security from a strategic lens and ensure that internal governance mechanisms are in place to address risks.
To apply this principle, there are important questions to consider:
-
Who is the owner of cyber risk in the organization and what is their role?
-
Is the cyber risk reporting process involving all business units and taking into account key business decisions?
-
What are the key performance indicators related to cyber security for internal stakeholders?
With this information, the Board can objectively assess and assess the financial and economic impact of cyber risk relative to other enterprise-wide risks and determine the organization’s risk appetite, as well as establish accountability and risk ownership.
Once accountability and risk ownership have been defined and agreed upon across the organization, it is important to develop a cyber security governance structure that is aligned to an organization’s business strategy.
Cyber security goals and objectives should be defined in alignment with the broader strategy and the cyber security team should be constantly engaged with business representatives, executive leadership and the board at both the strategic and tactical level.
The involvement of senior management and board of directors is important in many ways, as their role is to actively incorporate cyber security risk management into the organization and present cyber risk indicators in financial and economic terms, so that they can be shared with others in the company. Providing oversight of how cyber risk is monitored, effectively comparing risks and priorities.
Strategic partnerships are critical to securing assets and services
A cyber security strategy should be defined with a high-level plan for how your organization will protect its assets and critical business services in the short term and long term. Since technology and cyber threats are unpredictable and constantly evolving, it is essential to keep in mind the updates of the strategy over the long term.
To develop a cyber security strategy that aligns with organizational goals, clear lines of communication must be established between the executive team and the cyber security organization. The main points are:
-
Chief Information Security Officer (CISO) Involvement
The CISO is a member of the Executive Committee. He attends executive meetings and calls, attends strategic and product planning sessions, sales and marketing reviews, and so on, so the security organization is aware of upcoming changes and can prepare in advance for necessary support . Additionally, the business is aware of major cybersecurity risks to consider prior to the rollout of any technology change initiative or product launch. -
cyber security administration
In the CISO organization to discuss the progress made during the year, cyber risk insights and priorities for future state planning, considering the key elements to achieve maximum impact in the areas of Governance, Technology and Operations A cyber security committee should be set up with key stakeholders. -
committee agenda
A Board level Steering Committee should be set up with the CISO, Chief Information Officer, Chief Revenue Officer, Audit and stakeholders in legal organizations. During these committee meetings, security priorities should be reviewed and future roadmap initiatives should be discussed and iterated to ensure integration across all areas of the organization and associated impact. In this context, reporting is of great importance to underline how organizations can more effectively manage and understand the economics of cyber risk. -
cyber security update
The security organization communicates directly with the board of directors to report on the maturity of the cyber security program and raise issues that may affect shareholders, or their own organization within the ecosystem. It is important for board members to increase their knowledge of how to address cyber security within their organizations. Direct communication provides an opportunity for the Board to increase their understanding of cyber risk and provide guidance for interactions as they fully recognize their role in relation to cyber risk.
Cross-functional coordination can strengthen feedback capabilities
While the security team is often at the forefront of cybersecurity incident response, coordination with other teams, as well as broad organization-wide awareness, will be critical in strengthening response capabilities. Several initiatives should be implemented to collaborate with other departments:
-
Training: The security team should develop training modules for board members focused on protecting sensitive data and providing the basic cyber security knowledge and skills needed to respond to cyber security incidents. Additionally, board members should also engage in tabletop exercises and simulations to respond to cyber security scenarios. These exercises not only allow board members to become better aligned and aware of their responsibilities during a security incident, but also allow organizations to continually improve their existing processes and build on the lessons learned. help.
-
open communication: The security team should develop an internal blog or workspace to publish project updates, announce upcoming changes, and collect feedback throughout the organization. The team can also take advantage of Cyber Security Awareness Month to promote wider awareness and participation in security program initiatives.
-
Interaction Model: The security team should work closely with technology and business partners within the organization and define critical process handoff, accountability and interaction models to ensure that cybersecurity risk considerations are appropriately integrated into business decisions (eg. For, evaluation of new vendors, potential acquisitions, new product functionality). Additionally, business line feedback should be solicited for continuous improvement in security program initiatives and investment decisions.
Collaboration is the key to being ‘cybersecurity ready’
As our world becomes increasingly digital, a push from across the board to cross-functional collaboration across the organization will allow the security team to better align with business needs.