How do you prepare your board to champion and adequately respond to the rising cybersecurity threat?
If the board does not take the right decisions, it lets down the organization. At the end of the day, everything goes back to the board. When something goes wrong at the organization, everyone asks where was the board.
One of the primary roles of the board is risk oversight – anticipating what could go wrong and proactively preventing it from happening. Cyber threat risk is one of the emerging risks because organizations are automating at the core and therefore increasingly exposed to high risks of cyber attacks resulting in breaches which compromise confidentiality, integrity and availability.
Unlike the traditional business models where the board would be concerned about physical safety for example money in the strong room, an attacker can now go online and get to extract details about your company through what is called footprinting or reconnaissance or intelligence techniques. The attackers get to know about your business, board members, and management team. They then craft a scheme where the organization could lose money in fictitious payments or put your critical ICT systems down. If you are a financial institution, the magnitude of the loss could be big given that services are run on ICT systems. They are several attack vectors that could exploit your vulnerabilities or weaknesses.
The board has to deliberately put cyber threats as part of risk management on the agenda. The board must discuss what are mission-critical systems, how are they automated and what threats could bring them down in terms of exploiting any vulnerabilities.
Increasingly, boards are expected to have a cyber security expert who advises them on cybersecurity hygiene or strategy or the board must continuously undergo cybersecurity training from a policy and high-level point of view. Organizations with the desire to transform their cybersecurity maturity level conduct continuous cybersecurity maturity risk assessments covering a spectrum of infrastructure, people, processes, and threat incidents, among others.
On a scale of 1 to 5, how strong or weak is the organization’s cyber security maturity? Given the state of your organization and the threats, you are exposed to, what should be your level of security? Once you understand where you are and the gap that must be closed, you can create an adequate implementation program and budget to close the gaps and vulnerabilities. This gives the board clarity and direction. Any digitization program should have a cybersecurity budget. The board needs to drive digitization securely.
A good board must continuously ask:
- What are the company’s critical business processes, and what assets support them? Are they cyber secure? When did we last conduct a business impact assessment? Who did it?
- Is our Cybersecurity strategy aligned with the business technology strategy and corporate strategy?
- How often do we undertake cybersecurity assessments?
- What is the cybersecurity budget vs the physical security budget? What is the digital value at risk?
- How often does the board receive cybersecurity updates? Are they adequate and comprehensive?
For more questions and board-level briefing about their Cybersecurity roles, contact Mr Strategy using any contact option on this website.
Copyright Mustapha B Mugisa, Mr Strategy, 2022. All rights reserved.