Increase Cyber Security Literacy in the Boardroom


Singapore, June 2, 2016


Get some tips on how to increase cyber security literacy in the boardroom. Top management has a critical role to address and oversee decisions related to cyber security – decisions that cannot be delegated to IT teams. A top-down approach is needed to establish a well-defined security posture for the organisation.

In this digital age where everything and everyone is online and connected, cyber security can cripple a business, undermine a brand built up over many years, or shake the confidence that customers and investors have in it.

Cyber security cannot be delegated to IT teams to manage and that the Board has a critical role to play to ensure there is a sustainable, holistic and risk-based approach to putting in place capabilities, processes and technology to protect the organisation’s most critical assets. Gaps in in-house capabilities should be identified and potentially plugged through partnerships with external security providers.

As recently as a few years ago, cyber security was not a topic often discussed in the boardroom. Today, with cyber criminals stealing up to 1 terabyte of data per day1, translating to $1 trillion in global losses1, it is a critical concern for businesses of all sizes, industry and location.

Although boards have acknowledged its importance in today’s digital economy, most still perceive it as an IT risk and therefore delegate such issues to the Chief Information (CIO) or Chief Technology Officer (CTO).

To effectively address and oversee decisions relating to cyber security, a top-down approach is required to establish a well-defined security posture for the organisation. The board needs to:

• Proactively acknowledge the impact of cyber risks;

• Prioritise cyber security conversations in the boardroom; and,

• Be equipped to ask the right questions and engage in meaningful conversations with the management.

Prioritising cyber security alongside other ‘risk and security’ issues will ensure that it is allocated ‘airtime’ in Board meeting agendas.

Many Board members may grapple with IT knowledge and deem this a limitation to gaining a good understanding of cyber security issues. Yet, board members often do not require prior accounting or auditing knowledge to peruse financial statements.

The same applies to understanding cyber security risks. To increase cyber security literacy in the boardroom:

1. Arrange for periodic deep-dive discussions with your CIO, CTO and/ or Chief Information Security Officer (CISO) to identify business-critical assets and review and assess current security policies, processes and budgets to protect them.

2. Define and assign roles and responsibilities for cyber security within the organisation and track security risks on the company’s risk register.

3. Invite industry experts periodically to provide up-to-date technology and industry trends briefing, and to keep current with knowledge of the threat landscape.

PROACTIVE DEFENCE

Boards will also need to assess how adequate the defences of their organisations are, the relative merits of managing security in-house and with external partners, and to balance trade-offs between risk and mitigation costs.

All these point to the need for a proactive and comprehensive strategy to protect against rapidly evolving cyber threats as well as ensure sustained vigilance. This entails building capabilities in these three areas:

People: Nurture a pool of deep and specialised security expertise that is constantly plugged into the latest threats and technologies.

Intelligence: Engage in continuous global visibility and intelligence that is shared and analysed across vendors and businesses to better predict and defend against new threats.

Technology: Leverage technologies to offer integrated, multi-layered protection against multi-vector cyber threats via Internet, corporate network and mobile devices.

Building such capabilities requires significant and recurring investment in costly and resource-intensive platforms. For many enterprises, there are limited resources to do this entirely in-house. Businesses can look to Managed Security Service Providers (MSSPs) as trusted partners to meet their cyber security needs.

1CNET, Cyber Attacks Account for up to $1 Trillion in Global Losses (July 22, 2013), http://news.cnet.com/8301-1009_3-57594989-83/cyber attacks-account-for-up-to-$1-trillion-in-globallosses