Cyber Security: Revisiting the Questions the Board Should Ask
One Board member must be in charge and their pay package must ride on it
In 2015, in the wake of the TalkTalk data breach which made a massive impact in the UK media and even got politicians involved, we first explored the key questions the Board should ask in large firms around cyber security.
What a difference 4 years can make … At the time, our line of thought was very much on making the Board understand exposure to cyber threats and what was being done to counter them, especially across the supply chain as the concept of a hyper connected world bound by data and powered by emerging technologies was on the horizon.
At the time, the McKinsey Institute was estimating that emerging technologies could create up to USD 20 trillion of economic value, out of which cyber threats could destroy up to 3. Although we have seen no update on this research and its eventual accuracy, it cannot be denied that cyber-attacks have intensified and have been widely reported across the last 5 years – from Sony in 2015 to CapitalOne this year, with Equifax, British Airways and Marriott reporting breaches in the last 12 months alone, and not discounting the wide-spread Wannacry / NotPetya virus outbreak of 2017, which impacted badly industrial and logistics giants such as St Gobain or Maersk.
Equifax has now agreed to a USD 700M settlement for its 2017 data breach and the UK data privacy regulator is threatening British Airways and Marriott with nine figure fines under the UK equivalent of GDPR. So numbers are getting larger and larger and it is hard to imagine a Board member today in any large organisation who would be unaware of cyber threats.
Of course, priorities may vary in line with economic conditions or the general health of the business, but “cyber” in on the agenda of all Boards, and consistently rated as a top risk by many.
The last decade has undoubtedly be a decade of realisation for senior executives around cyber security: This is no longer about risk (things which may or may not happen) or compliance (boxes to tick and unnecessary bureaucracy): The “When-Not-If” paradigm has changed the game.
And with it the focus of the Board has shifted towards execution, very often in exchange of significant investments in cyber security – in particular where initial maturity levels were low.
This is no longer about understanding what’s being done against cyber threats, it’s about getting it done, and getting it done now.
So frankly, our 6 questions from 2015 now boil down to 2, in particular where a large programme of cyber security transformation is needed:
Who is in charge?
A Board member must take direct accountability and responsibility for the security transformation programme delivery. Period.
This is no longer about wheeling in the CISO twice a year. This is about getting clear and accurate reports on progress at each meeting, in return for the large investments consented.
So one Board member must carry the can. Preferably one closely associated with the operational challenges involved – not the Head of Risk or (with respect) the Head of HR…
This is not about knowing which head will roll at the next breach but giving the initiative the right profile: Any large-scale security transformation programme can only be complex and transversal. In global firms, the international aspects could add a considerable dimension to the task. Without the credible and visible backing of the most senior sponsor, chances of success are significantly diminished.
At the same time, the task must convey a degree of accountability, and must become a factor in determining the compensation level of the Board member in charge – in stock and in cash and with retrospect. The situation which has surrounded the ousted CEO of Equifax will not be tolerated much longer by consumers, citizens or politicians, and can only breed adverse sentiment against the corporate world and further regulation.
What are we doing about it?
Here, it is time to go back to the monitoring of good old-fashioned milestones against the deliverables of the programme of work.
What was meant to be done last month and did it get done? No need for convoluted “return-on-security-investments” discussions or fuzzy risk models.
Of course, the detailed tracking of achievement should be done downstream from the Board, in particular for large, complex or global programmes.
But the consolidated results should be clear, concise and factual and delivered in person by the Board member in charge.
Those 2 actions – personalisation and factualisation, underpinning a drive towards clarity and simplicity – will bring results over time, but here lies the main challenge for many Boards and their members:
Thinking over the mid to long-term and keeping steady orientations in the face of potentially changing business conditions is necessary to the success of any complex cyber transformation programmes because of their inherent transversal complexity (and also because in many cases, this is about catching up in a few years over 15 years of lip service or under investment).
The Board must be capable of driving a long-term vision for all this to work, even if “in the long-term, we’re all dead” …