Open in app

Sign in

Write

Sign in

Cyber security: Where to start as a director

Mandy Simpson
Cyber Toa
Published in
5 min readDec 11, 2016

Technology risks are making a big impact in the boardroom. Released this week, consulting firm Protiviti’s annual Top Risks Survey showed operational disruption from cyber threats ranked in third place overall by the 735 surveyed directors and executives, the disruptive impact of new technologies ranked fourth, and privacy and information security issues ranked fifth.

Earlier this year in New Zealand Marsh surveyed 525 Institute of Directors members, with similar results. Cyber security was named the number two external risk, with data corruption, loss or system failure considered to be the third highest internal risk.

Directors are becoming concerned. Rightly so. So where is best to begin in this complex and fast moving area?

An enterprise risk like any other

Cyber security is an enterprise wide risk, impacting right across business areas. It can be an uncomfortable topic for discussion because some directors feel they need a greater understanding of the technology issues than they currently have.

While some education in this area may be helpful, its worth noting that cyber security issues at their core are just risks like any other. The good news is that as directors we are used to dealing with risks. We understand the language of risk management and are comfortable discussing them. Even better, there may already be a risk management framework in place to help.

A shared understanding of the key cyber security risks

Each company is different, so a generic approach without considering what is important in your organisation is unlikely to be useful. Instead start with simple questions about what could go wrong and what the impact and likelihood of that might be. In particular try to determine what your critical data assets are. Depending on what the company does you might be concerned about:

  • system unavailability, particularly customer facing or otherwise critical systems
  • deletion, theft or corruption of customer data (e.g. passwords, identity documents, financial information, medical or other sensitive data)
  • theft of money, IP, business plans etc

It is important that the directors come to a shared understanding of the key cybersecurity risks facing the organisation, as well as the level of risk they are willing to accept. This is likely to require significant engagement with the management team, detailed work around the board table, and in some cases may require external assistance.

Plan for a breach

“Many organisations must face a troubling fact: defending their digital perimeter is not enough. They should assume that successful cyberattacks will occur — and develop an effective plan to mitigate the impact.” McKinsey & Co

A cyber security incident plan, much like any other type of disaster recovery plan, should be put in place before an incident occurs. As an example, if your systems are unavailable due to a ransomware attack, this may not be the best time to have a discussion about the morality or effectiveness of making ransom payments. You need to have already had that discussion, and be ready to respond, one way or the other, quickly.

A good plan will ensure the company can make decisions quickly, can rapidly determine tradeoffs such as uptime vs risk of data loss, and can coordinate across multiple areas such as legal, customer service, communications, finance and external advisors such as insurance.

Accountability — who and where

“What matters is the ability to have the ear and the attention of senior management and the board, and to have engaged conversations around cyber risks.” Christophe Veltsos, securityintelligence.com

Who in the organisation is accountable for cyber security? Is there a Chief Information Security Officer (CISO) or a similar position? If so do they have the level of influence and the resources they need? Do they have access to the board on a regular basis?

There are a variety of views about where in the organisation a CISO should report. Many report to the CIO, but others directly to the CEO, or perhaps to the CFO or COO. The right answer will be different for each company. But as when appointing a Head of Internal Audit, the capability, resources and position of a CISO will impact the effectiveness of any cyber security programme. It is a decision directors should pay attention to.

Tone from the top

Regardless of who is accountable within the organisation, the company culture around cyber security will be strongly guided by the directors. Again this is a narrative we’ve seen before in other areas, including driving innovation and managing health & safety risks. As directors we are used to the idea that our behaviour sets a standard.

It is thankfully rare in New Zealand to come across senior people breaching the controls in place around finances. We’d be surprised if a director or CEO expected the company to provide them an undocumented loan. Yet requests for special treatment when it comes to IT security are much more prevalent, and employees will take note. If the CEO expects special treatment when it comes to using an unapproved cloud file storage system, or a board member insists on having the board papers emailed to their personal email address, then others will feel they can ignore the rules too. We need to hold ourselves, our board colleagues and management team to the standard we want for the organisation.

It is also worth considering your own general attitude to cyber security, including at home. Do you use strong passwords and never reuse them across services? Do you use two factor authentication for your email? Is your personal computer regularly backed up? It is hard for you to be authentic about cyber security in the boardroom if you aren’t doing at least the basics at home.

An ongoing conversation

Cyber security is not a set and forget area. You need to keep the conversation going. One way to keep a regular discussion happening, and to demonstrate the board’s commitment to this area is to start asking about cyber security in a variety of other discussions.

If you are approving a business case, do you understand the cyber security impacts? Do you really need all of the data you are proposing to collect? Have you assessed the cyber security of the third party provider you are proposing to use? If you are considering a merger or acquisition have you considered cyber security due diligence? When you are considering the annual plan, do you understand the cyber security priorities and budget?

If you ask about cyber security regularly enough, it will become part of the company’s day to day language.

Organisation resilience

Complete removal of cyber security risk is unrealistic given the increasing threat levels and rapidly changing environment. The aim for directors should be to produce an organisation that is appropriately resilient and able to cope when an attack occurs.

With that in mind, directors can ensure they are informed about the risks, are comfortable with the level of resource being applied against them, and with the plans in place for dealing with a breach when it occurs.

Further reading: IOD Cyber-Risk Practice Guide

Mandy Simpson is CEO at Wellington based consultancy firm Cyber Toa. She is a member of the New Zealand Institute of Directors and on the boards of Punakaiki Fund and NZTech. This article was first published at cybertoa.com

Cybersecurity
Security
Director
Risk Management
Board Governance

--

--

Mandy Simpson
Cyber Toa

Written by Mandy Simpson

166 Followers
Editor for

Director, consultant, keynote speaker. Financial services and the impact of fast changing tech. Board member at Punakaiki Fund. SingularityU Faculty.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams