The days of throwing money at cybersecurity with no management oversight or engagement are long over. Cybersecurity is now 100% a business issue. It has evolved into a strategic corporate activity as opposed to purely a technology afterthought managed by the IT function. The ever increasing and changing nature of cyber risk means organisations need to develop new and innovative ways to manage it.
Businesses as a whole now have to regularly ask themselves “how do we begin to eat the cyber elephant?”
The answer is complicated, with several corporate stakeholders (Management, IT, Legal, HR and Procurement) playing an important role. In many businesses, a shift in management mindset is required as cybersecurity is no longer a technology-only issue. The management team will need to create more time and have better oversight. Not having the time is no longer a valid management excuse. At the same time, IT should no longer simply be able to veto all business ideas which present cybersecurity challenges. Organisations need to develop a risk-based approach to dealing with these issues.
For in-house lawyers and other stakeholders tasked with steering this fast-moving ship, forging better relationships within the business, getting buy-in and proactively bringing viable options to the table is critical.
Key players in the supply chain may be just as important and critical – we increasingly see businesses face multimillion pound hits to the bottom line and to share value arising from cybersecurity failures resulting from inadequate management of third parties. Management now needs to invest much more than money, focusing more on the need to educate and keep their IT and cybersecurity functions informed of strategic plans. This will enable these functions to proactively adapt and adopt effective business-focused cyber measures.
The reality is that all stakeholders should have an intrinsic and extrinsic, shared and collective responsibility with regard to protecting their organisation’s cyber posture. Especially as these threats are dynamic and threat actors run their operations like sophisticated FTSE 350 businesses.
So, what should business leaders be doing now?
To the extent this is not already happening in your business, it could be time for you to shake the conversation up as follows:
- Management needs to reassess and affirm that cybersecurity is a board level issue.
- Trigger an incremental cultural shift across the organisation today – this is critical as your risk exposure now comes from many vectors.
- Educate: the key to success will depend on your people. Keep them informed, aware and educated and they will form a core part of your cyber protection ring.
- Adopt the right resourcing strategy. Ensure you adequately resource your cybersecurity talent. It is perplexing to sometimes see job adverts that specify “must have specific sector experience” requirements. Cyber risks are cyber risks. Whilst sector experience is valuable, excluding those without is irrational for it discards new ideas and inter-sector knowledge-sharing and encourages groupthink. There are eight core domains in cybersecurity – Security and Risk Management, Asset Security, Security Engineering, Communications and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations and Security in the Software Development Lifecycle – and these are all non-sector specific. If your one bedroom apartment has a leaking roof would you advertise for ONLY roofers with experience of fixing one bed apartments? The answer of course is no, you just need a roofer that can do the job. It is important for businesses to understand that some sectors have been working on developing cybersecurity strategies longer than others and a more inclusive resourcing approach may hold your businesses in good stead.
- Create an informed two-way corporate communication bridge. Management should regularly check and audit their investments and the IT and cybersecurity functions should (with management blessing) have a mechanism to regularly update on progress, developments and challenges. “Trust but verify” should be the motto.
Culturally, it is important that organisations move away from the idea that this “cyber thing” is slowing us down and is someone else’s problem. I call it the “We are secure and have no cyber issues mentality”. The truth is no one is truly secure and managing these risks requires a collective and considered effort (not solely driven by keeping your cyber insurance premium down and comply with your policies).
Unfortunately, these challenges are not going away anytime soon. Whilst society is seeing a general decrease in crime in the physical sense, online crime is on a rapid increase. Just like audit committees actively ensure and independently verify their businesses are financially sound, so too risk committees must now build organisational cybersecurity structures that can be independently verified.
Whilst organisations can’t have a completely risk-free position, they can take proactive steps to manage the ever-increasing threats. In real life, the house without visible security is more likely to get burgled first, so too are organisations without a proactive and in-depth approach to managing cyber risks. Demonstrating organisational proactiveness might mitigate attacks, reduce or even keep fines at bay. Remember, cybersecurity is now a business issue that requires all hands on deck.