Board members need to insist on understanding IT / Cybersecurity risks. Only with this knowledge, can they properly discuss those risks at board level and achieve a consensus on setting the enterprise’s risk tolerance.
When it comes to cybersecurity strategy, perhaps the single most important goal for boards and CEOs is defining the enterprise’s IT risk tolerance. Everything in business is a trade off, similar with cybersecurity, a juggling act between cost, effort, likely results, and risk acceptance.
“Where does the board want to draw those lines?”
When the COVID-19 started, there was a forced wide scale changes for almost all businesses, whether they went into hibernation, working from home or continuing with more precautions. Enterprises quickly agreed to a vast reshuffling of the workforce, moving from a perhaps a few staff one day a week remote to now 90%+ remote – a complete flip. But accepting such a massive increase in the number of remote workers—and doing so in a few days—posed a gigantic increase in risk to the organisation’s and the Boards requirement in managing this risk.
Boards overwhelmingly accepted those risks and approved the changes, mostly because they felt they had no choice.
Boards need to ask
- What could go wrong?
- In your opinion, how likely is it to go wrong?
- How many of our competitors in our vertical are doing this?
Cybersecurity today is an essential part of enterprise life, impacting data protection, compliance, potential litigation, and the customer perception of the enterprise’s protections.
Risks that board members need to think about:
- the risk in any intentional and deliberate change to the enterprise’s IT environment (new tools, new techniques, changes in cloud operations),
- The external threats have changed significantly during the climate of working from home and again in new ways as enterprises start to slowly bring workers back to corporate locations.
It is key for boards to get more involved in understanding the cyber risk with their companies not only because a rising number of breaches are making headlines but also because regulators are increasingly holding companies accountable for addressing their gaps in cybersecurity and privacy data.
Organisation’s need to understand the implications of bringing employees back into offices and the enterprise risks and benefits associated with doing so. The shift back to in-person operations gives boards the chance to reconsider all manner of operations.
Remember Cybercriminals are opportunistic
Where to begin:
Companies should consider a comprehensive security transformation, integrated with business objectives, by establishing and implementing an overarching IT Risk management strategy that breaks down silos, enhances organisation capabilities, and enables multistakeholder engagement.
Factors for board to rethink IT Risk Management Scoring
- Review the Organisation’s Risk Appetite
How do you currently score the risk that IT brings to your organisation, what is assumed?
- Identify threats to address and understand the organization’s risk profile using a risk appetite
Cybersecurity risk information provided as inputs to risk management program should be documented and tracked in written IT risk registers that comply with the Risk Mangement program guidance.
- Identify risk scenarios that can be brought onto the grid
Most companies are making cyber investments that aren’t aligned with their overall business strategy and are focusing their cyber efforts in areas that may not be relevant from a business perspective.
Companies have limited capabilities to track and assess IT scenarios. The lack of these tools makes decision making more difficult and doesn’t ensure a holistic view of the overall cyber risk environment. These typically are found in the Business Continuity Plan / Disaster Recovery
Main Scenario Headings
- Electrical
- Building
- Water
- Communication
- Person/ Staff
- Hardware / Infrastructure
- Software / Website / Email Platform / Other online platforms
Boards must ensure top management accountability and organisational compliance, it’s worth stressing that a company’s IT Strategy must be part of its business strategy. As most business processes today contain some digital element, a cross-functional cyber organization is imperative for effective security strategy deployment, embedding risk reduction into key business activities on a daily basis.