Boards’ need to step-up cyber stewardship
February 2022 | SPOTLIGHT | BOARDROOM INTELLIGENCE
Financier Worldwide Magazine
February 2022 Issue
As the impact of cyber crime on corporate business features ever more prominently in national and global news, the financial, legal and reputational impact has ensured that the subject now has a permanent and prominent place in the boardroom.
So, what criteria separate secure and insecure organisations? Do the boards of these companies approach cyber security in starkly different manners? Is it just risk that needs mitigation, or do astute corporate stewards have a better understanding of how to effectively steer clear of cyber threats?
Can cyber security be resolved by compliance or stewardship?
Over the last several decades, cyber security approaches have evolved from safeguarding online or virtual assets in sectors including dotcom start-ups and banks, which either operated on the internet or stored significant client information online. During this time cyber security measures tended to be employed on an ‘if needed’ basis, or as part of risk reduction and customer reassurance exercises.
In terms of shaping boards’ cyber security perspectives, the deciding element tends to focus on the exact function each measure performs and what results are achieved.
Today, the board’s oversight function in this and all areas can be subdivided into two essential remits: compliance and stewardship.
Research suggests that corporate governance reforms are forcing boards to increasingly focus on compliance, even at the expense of strategy. However, the compliance element is limited to ensuring that basic best practice is conducted, essentially answering the question: how are boards involved in cyber security management?
On the other hand, stewardship warrants that boards go a step beyond immediate monitoring measures and ensure that cyber security is not just managed, but preemptively prepared for – setting the stage for genuine cyber security governance.
A 2015 study interviewing chief information officers and managers at several US and European firms to better understand their respective cyber security perspectives, produced revealing results. It brought to light the revelations that US firms were more up to date and better prepared on cyber than their UK and European counterparts.
The second key finding was that most firms viewed the need to invest in cyber security primarily as a response to either reducing risk or fulfilling their compliance requirements. Threat perceptions have certainly moved in the nearly six years since the study.
COVID-19’s impact on cyber security
Over the past two years, cyber security has fallen under another harsh and even stronger spotlight. For one, cyber security management has transformed into cyber security governance, making it incumbent upon boards and their top management teams to keep cyber at the heart of strategic and operational agendas.
Secondly, there is the wider perspective of how cyber security itself is approached. Are organisations merely ticking the proverbial box of risk compliance by setting up a cyber security agenda, or are the more successful operators rising to the occasion and incorporating cyber security into their stewardship objectives by taking all of the necessary steps required to protect the firm?
In a 2017 survey of FTSE 100 companies, 87 percent stated that cyber was a principal risk to their organisation. Similarly, research interviewing 1000 senior IT and business clients on their industry challenges identified cyber security among their top five priorities.
And yet this affirmation raised a number of other vital questions. For example, when accounted for by size, lifecycle, geography and industry sector, do various enterprises approach cyber security differently or, in today’s Industry 4.0 era, is every firm functioning on the same level playing field?
The coronavirus (COVID-19) pandemic has put these questions to rest, as among the many devastating outcomes of the pandemic, the rise in cyber-related crimes has been nothing short of meteoric.
BAE Systems Applied Intelligence commissioned a study entitled the ‘COVID Crime Index 2021’, which throws light on a number of insightful cyber security side effects. The study notes that while physical crime diminished significantly, online crime and fraud saw unprecedented augmentation.
With the increase in remote working, organisational funding cuts for IT security and cyber crime have averaged 26 percent over the COVID-19 period. Simultaneously, the increase in criminal activity has been at a comparable 29 percent in financial institutions. Consequently, 77 percent of those interviewed expressed concerns over the continued increase in cyber threats in the near future. Evidently, the pandemic has made the difference between compliance and stewardship approaches even sharper.
As for the pandemic itself, examples of private sector players exploiting the full benefits of the digitalised 4.0 technology era are coming to light. To deal with the contagion risk, many retailers decided to license Amazon’s ‘Just Walk Out’ technology, which combines computer vision and artificial intelligence (AI) to bill customers, without needing them to wait at a checkout counter.
Similarly, in China, robots were used to deliver medicines and meals and to collect rubbish and bedsheets in hospitals. This handful of examples present a positive side to digitalisation and its possibilities as a saviour during times of calamity. If cyber threats were to be looked at as a comparative disaster response, does technology have anything to offer with regard to improving cyber security?
Top tips for mitigating and managing cyber risks
The compliance-led approach. In many respects, planning for and investing in cyber secure digital assets has become somewhat of a hygiene factor in any organisation’s security agenda. The first step is to identify the value of the firm’s digital assets, which paves the way for a subsequent approach to cyber security.
For many organisations outside the Critical National Infrastructure (CNI), or banking and financial service sectors, this could involve arranging mechanisms to ensure the risk posed by cyber threats is well managed.
Big Tech and other successful industry leaders are coming to rely on technologies like AI, machine learning and robotics to fortify their cyber landscape. AI algorithms use training data to devise new ways to respond to cyber incidents and threats, and then identify adequate solutions to mitigate them. Such advances then make it simpler for risk and audit committees to take on the responsibility of supervising cyber security for the firm.
Despite this, organisations which earn considerable value for the employee and client information they retain are also incorporating additional measures to secure their digital materials.
The stewardship-led approach. Firms which are more invested in sustained success, or are heavily focused on protecting their digital realm, need to devise methods beyond adopting only adequate technology to strengthen their information security protocols.
Organisations often invest in resources that ensure all of the information residing with them, often stored on cloud servers, is kept secure. The UK government was recently in the news for having invested in Amazon Web Services to provide a virtual vault for the information managed by MI5 and MI6. In addition, a number of certifications are available for businesses to reassure their partners that they take cyber security and the protection of third-party assets and intellectual property seriously. ISO27001 is one such internationally recognised best practice framework for information security management.
Other successful organisations approach cyber security as a function of its important trifecta – technology, systems and people. Investing in technologies is one way to guarantee reduced cyber risks. Another is to ensure that the human factor presents vastly reduced vulnerabilities.
This approach includes ensuring that members of governing boards have experience in risk management and mitigation. Many organisations are now choosing newer members with expertise in technology portfolios to help percolate this knowledge throughout the firm. Entire staff are being trained and retrained, sometimes through mock exercises, to prevent unfortunate incidents like phishing or whaling attacks, at the hands of cyber criminals.
When the public is being affected so considerably the best solutions often reside in amalgamated efforts by both the government and its private institutions.
In the UK, institutions like the National Cyber Security Centre, under the guidance of GCHQ, have released their ‘Cybersecurity Toolkit for Boards’, which is intended to create awareness and impact with those who are pivotal to securing an organisation’s cyber realm. Explaining the risks associated with cyber security, general steps to managing these risks and providing additional information to make well-informed decisions is all part of a continual process.
Give cyber risks the status they deserve
For any organisation there are many cyber security dilemmas to be solved. Should it craft a strategy under its compliance or stewardship function? Should cyber security be managed from a strategic or operational perspective? Should it choose cyber security governance or cyber security management?
All of these are important points, but the most important question of all is: is cyber security an element of its technology or security concerns? Everything else can be resolved if this final question is answered first.
Looking at cyber security from a limiting view of technological choices or aspirations may be a luxury the board cannot afford. Cyber security risks in the contemporary world pose an insurmountable threat which is best treated as an immediate and top priority. Giving this the appropriate risk status is the first step in successfully mitigating and managing the challenge.
Andrew Kakabadse is professor of governance & leadership, Ruchi Goyal is a doctoral researcher and Nada Kakabadse is professor of policy, governance and ethics at Henley Business School. Mr Kakabadse can be contacted on +44 (0)1491 418 776 or by email: a.kakabadse@henley.ac.uk. Ms Goyal can be contacted by email: goyal@pgr.reading.ac.uk. Ms Kakabadse can be contacted on +44 (0)1491 418 786 or by email: n.kakabadse@henley.ac.uk.
© Financier Worldwide
BY
Andrew Kakabadse, Ruchi Goyal and Nada Kakabadse
Henley Business School