Cyber Security is not a Risk

Read By 39 Members

Describing Cyber Security as a risk is a language oddity that keeps appearing at an alarming rate. We have already highlighted this in an earlier article in March 2015 published on Computing.co.uk.

It is a dangerous and simplistic shortcut, typical of the shallow nature of the debate taking place around these issues on social media.

Cyber Security is not a “risk”. Cyber Security results from the proper application of proportionate Controls to protect an organisation from the Cyber Threats it faces. Cyber Risk results from the absence or inefficiency of such Controls.

With 79% of large organisations (>$5B Market Caps) struggling to demonstrate any kind of Cyber Security maturity (source: ‘Risk and Responsibility in a Hyper-connected World’ – World Economic Forum, in collaboration with McKinsey & Company – January 2014), the time has come for Boards to approach the problem from the right Management angle and take real action.

The Boards of large organisations must focus on ensuring that the necessary Controls are properly implemented across the true geographic perimeter of the enterprise, taking into account without complacency the role of external partners and suppliers.

Boards must focus on ensuring that accountabilities and responsibilities are properly in place to make sure the enterprise remains adequately protected from Cyber Threats. Cyber Security cannot be the responsibility of “everybody”. In most cases, it should fall in the portfolio of the CIO or the COO, and be cascaded down to a CISO who has the management experience, personal gravitas and political acumen to drive change.

Lasting change in that space will be complex and take time. Boards must ensure that a long-term Cyber Security roadmap is in place supported by a Governance Framework that distributes accountabilities and responsibilities from the Board down across the entire enterprise, including IT, HR, Business Units & Geographies.

Time has come for Boards to stop treating “Cyber Security as a Risk” and take genuine Management action to drive the implementation of protective Controls against the genuine Cyber Threats they face. This is not a matter of budget or resources but a very simple matter of priorities.

Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.
Contact Corix Partners to find out more about developing a successful Information Security Practice for your business.

Jean-Christophe Gaillard

• A senior executive and a team builder motivated by analysing and resolving Security Strategy, Organisation and Governance challenges, and delivering real long-term solutions • A track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation • Over 25 years of experience developed in several global financial institutions in the UK and continental Europe, gaining exposure to all layers of management up to board level • French national permanently established in the UK since 1993; fluent in English, Spanish & French Specialties: Security Strategy, Organisation and Governance ; Security Roadmaps, Target Operating Models and Governance Frameworks ; Business Protection ; Corporate Security ; Information Security ; Cyber Security ; Operational Risk Management

Have Your Say: