Governing cybersecurity from the top as a strategic business enabler

Issue 8 2022 Cyber Security

“Cyber threats are increasing at a rate far greater than the industry is able to cope with. Despite this, C-Suite executives still do not take cybersecurity seriously enough, while boards are not nearly as engaged in cybersecurity as they are in other areas of oversight,” says Patrick Evans, CEO of SLVA CyberSecurity.

Patrick Evans.

Cybersecurity breaches pose a major business risk and can no longer be viewed as a technology concern. Business leaders agree on this point according to Gartner’s 2022 Board of Directors Survey, which found 88% of respondents viewed cybersecurity as a business risk. However, only 13% of boards have responded by instituting cybersecurity-specific board committees overseen by a dedicated director.

In some instances, it may be the case that directors are not always completely aware of their duties and liabilities concerning cybersecurity oversight. It is also the case that many industries have been slow to adopt a security-first approach to their operations.

In the same way that boards are tasked with ensuring appropriate financial governance and due diligence, cybersecurity is part and parcel of carrying out fiduciary responsibility to shareholders and managing business risk. Cyberattacks do not simply take down a website. They can completely shut down business processes and, worse still, hold a company’s entire IP or customer database for ransom.

According to the World Economic Forum’s (WEF) 2022 Global Cybersecurity Outlook report, the average cost to a business from a cybersecurity breach is around $3.6 million. The same report also found that over and above the financial implications, a breach can affect the average share price of a hacked organisation up to six months after the event.

For years, cybersecurity professionals have understood that a sound cybersecurity strategy is simply good business strategy. Now, the cybersecurity gap between operating managers and C-Suite executives may finally be closing. In March of 2022, the United States Security and Exchange Commission proposed a set of new rules that could significantly increase public companies’ reporting of both cybersecurity breaches and the steps executive management and boards have in place to mitigate cyber risk. The SEC’s proposals raise important considerations for businesses across the globe regarding management reporting, and even how boards should be structured and organised in the very near future.

At a minimum, in the aftermath of a breach, top management should be able to address the following:

1. Are they confident that the incident is fully contained?

2. Do they know how attackers got in? What was exploited?

3. Do they have adequate controls (preventative and detective) to ensure it won’t happen again?

With the massive increase in the number of threats facing organisations and the uptick in ransomware, cyber risks need to be managed strategically. Research bears out the fact that it does not work to pay ransomware attackers. A 2022 survey of cybersecurity professionals across multiple sectors found organisations that paid ransomware were targeted again, sometimes less than a month later, for an even higher sum.

This means C-Suite executives and boards should focus their efforts on solid detection and prevention measures to contain attacks before data and critical systems are in serious jeopardy. Of course, it is impossible to eliminate risk entirely, but organisations can significantly decrease their chances of becoming repeat victims by executing the right strategies before an attack happens or remediating it right the first time before another one strikes.

It is evident that people and organisations want to engage with businesses that are secure and that the pendulum of purchasing power will land in favour of businesses that take the ever-present threat of ‘being compromised’ seriously. In a digitally connected world, organisations are now making sure companies are secure by design before signing the dotted line. The other side of the same coin is that businesses which are secure by design now have a built-in sales and marketing advantage that will win them contracts in new markets and the lion’s share of contracts in existing markets – placing cybersecurity firmly in the territory as a business enabler and well beyond the current, reluctant view of it being a necessary cost.

While regulation may force the hand of boards and executive directors, it would be unwise to wait for such an eventuality – especially when there are steps that can be taken today to ensure organisations become more effective, resilient, and forward-looking. The last straw for complacency in the form of a breach or attack is really only a matter of time.

The first and most crucial step for executive-level management is to view cybersecurity as a strategic business enabler. This shift in approach can empower a business to achieve long-term sustainability and the confidence to pursue innovation and new areas of growth. With an understanding of the economic drivers and impact of cyber risk, executives can better and more carefully align cyber risk management with business needs. By incorporating cybersecurity expertise into board governance, businesses can ensure organisational design supports cybersecurity.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Prevention-first approach to cybersecurity
News Cyber Security
Check Point CEO, Gil Shwed, highlights the increasing importance of artificial intelligence in defending evolving networks and protecting against cyber threats at annual CPX 360 customer and partner event.

How much protection does cyber insurance really give businesses?
Cyber Security Security Services & Risk Management
If organisations don’t meet even the minimum requirements of security and data protection, insurance will do them little good. Instead, it needs to be just one part of the digital resiliency toolbox.

Introducing adaptive active adversary
Cyber Security Products
New adaptive active adversary protection; Linux malware protection enhancements; account health check capabilities; an integrated zero trust network access (ZTNA) agent for Windows and macOS devices; and improved frontline defences against advanced cyberthreats and streamline endpoint security management.

Eleven steps to an effective ransomware response checklist
Editor's Choice Cyber Security
Anyone is a viable target for ransomware attacks and should have a plan in place to deal with a worst-case scenario. Fortinet offers this ransomware attack response checklist to effectively deal with an active ransomware attack.

Blurring the lines between data management and cybersecurity
Cyber Security IT infrastructure
In the past, data management and cybersecurity would fall under separate domains, but with more organisations making the shift to the cloud, data management and data protection have merged, essentially blurring the lines between the two.

Recession? Do not skimp on cybersecurity
Cyber Security Security Services & Risk Management
While economists are studying their crystal balls, businesses have to prepare for the worst, and preparing for a recession means cutting costs and refocusing resources; however, they must ensure they do not end up creating an enormous risk.

Organisations are increasing modern data protection for cloud workloads
Cyber Security
The Veeam Cloud Protection Trends Report for 2023 identifies what is driving IT leaders to change strategies, roles and methods related to both production and protection of cloud-hosted workloads.

Cybersecurity in Africa: The challenges and solutions
Training & Education Cyber Security
Africa faces a significant challenge when it comes to the availability and distribution of cybersecurity talent and secure IT infrastructures. Facing this challenge will require supporting and nurturing the next generation of security graduates and professionals.

Zero Trust to dominate 2023
Cyber Security Access Control & Identity Management
Traditional ways of safeguarding data are no longer sufficient in 2023. Zero Trust has emerged as a more proactive way for businesses to keep their systems, data, and networks protected against compromise.

Cybersecurity in 2023
Technews Publishing Gallagher Cyber Security
What is on the cybersecurity menu in 2023? Hi-Tech Security Solutions offers two views from industry players on the risk environment and what to look out for in the cyber world in the coming year.