Governing cybersecurity from the top as a strategic business enabler

Issue 8 2022 Information Security

“Cyber threats are increasing at a rate far greater than the industry is able to cope with. Despite this, C-Suite executives still do not take cybersecurity seriously enough, while boards are not nearly as engaged in cybersecurity as they are in other areas of oversight,” says Patrick Evans, CEO of SLVA CyberSecurity.


Patrick Evans.

Cybersecurity breaches pose a major business risk and can no longer be viewed as a technology concern. Business leaders agree on this point according to Gartner’s 2022 Board of Directors Survey, which found 88% of respondents viewed cybersecurity as a business risk. However, only 13% of boards have responded by instituting cybersecurity-specific board committees overseen by a dedicated director.

In some instances, it may be the case that directors are not always completely aware of their duties and liabilities concerning cybersecurity oversight. It is also the case that many industries have been slow to adopt a security-first approach to their operations.

In the same way that boards are tasked with ensuring appropriate financial governance and due diligence, cybersecurity is part and parcel of carrying out fiduciary responsibility to shareholders and managing business risk. Cyberattacks do not simply take down a website. They can completely shut down business processes and, worse still, hold a company’s entire IP or customer database for ransom.

According to the World Economic Forum’s (WEF) 2022 Global Cybersecurity Outlook report, the average cost to a business from a cybersecurity breach is around $3.6 million. The same report also found that over and above the financial implications, a breach can affect the average share price of a hacked organisation up to six months after the event.

For years, cybersecurity professionals have understood that a sound cybersecurity strategy is simply good business strategy. Now, the cybersecurity gap between operating managers and C-Suite executives may finally be closing. In March of 2022, the United States Security and Exchange Commission proposed a set of new rules that could significantly increase public companies’ reporting of both cybersecurity breaches and the steps executive management and boards have in place to mitigate cyber risk. The SEC’s proposals raise important considerations for businesses across the globe regarding management reporting, and even how boards should be structured and organised in the very near future.

At a minimum, in the aftermath of a breach, top management should be able to address the following:

1. Are they confident that the incident is fully contained?

2. Do they know how attackers got in? What was exploited?

3. Do they have adequate controls (preventative and detective) to ensure it won’t happen again?

With the massive increase in the number of threats facing organisations and the uptick in ransomware, cyber risks need to be managed strategically. Research bears out the fact that it does not work to pay ransomware attackers. A 2022 survey of cybersecurity professionals across multiple sectors found organisations that paid ransomware were targeted again, sometimes less than a month later, for an even higher sum.

This means C-Suite executives and boards should focus their efforts on solid detection and prevention measures to contain attacks before data and critical systems are in serious jeopardy. Of course, it is impossible to eliminate risk entirely, but organisations can significantly decrease their chances of becoming repeat victims by executing the right strategies before an attack happens or remediating it right the first time before another one strikes.

It is evident that people and organisations want to engage with businesses that are secure and that the pendulum of purchasing power will land in favour of businesses that take the ever-present threat of ‘being compromised’ seriously. In a digitally connected world, organisations are now making sure companies are secure by design before signing the dotted line. The other side of the same coin is that businesses which are secure by design now have a built-in sales and marketing advantage that will win them contracts in new markets and the lion’s share of contracts in existing markets – placing cybersecurity firmly in the territory as a business enabler and well beyond the current, reluctant view of it being a necessary cost.

While regulation may force the hand of boards and executive directors, it would be unwise to wait for such an eventuality – especially when there are steps that can be taken today to ensure organisations become more effective, resilient, and forward-looking. The last straw for complacency in the form of a breach or attack is really only a matter of time.

The first and most crucial step for executive-level management is to view cybersecurity as a strategic business enabler. This shift in approach can empower a business to achieve long-term sustainability and the confidence to pursue innovation and new areas of growth. With an understanding of the economic drivers and impact of cyber risk, executives can better and more carefully align cyber risk management with business needs. By incorporating cybersecurity expertise into board governance, businesses can ensure organisational design supports cybersecurity.




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Continuous security optimisation.
News & Events Information Security
Cymulate has announced its partnership with SentinelOne, a threat exposure validation and AI-powered cybersecurity platform. The collaboration delivers self-healing endpoint security that empowers businesses to increase protection for every endpoint on their network.

Read more...
Protect your smart home devices
Kaspersky IoT & Automation Information Security Smart Home Automation
Voice assistants, kitchen robots, smart lights and many other intelligent devices have become part of our everyday life. However, with the rise of smart technology comes the need for robust protection against potential vulnerabilities.

Read more...
ISPA’s take-down process protects from local scams
News & Events Information Security
During the recent school holidays, parents could rest a little easier knowing that ISPA, SA’s official internet industry representative body, is removing an average of three to four problematic websites from the local internet every week.

Read more...
NEC XON disrupts sophisticated cyberattack
Information Security
NEC XON recently showcased its advanced cyberthreat detection and response capabilities by successfully thwarting a human-operated ransomware attack targeting a major service provider.

Read more...
What’s your cyber game plan?
Information Security
“Medium-sized businesses are often the easiest target for cyber criminals, because they are just digital enough to be vulnerable, but not mature enough to be fully protected," says Warren Bonheim, MD of Zinia.

Read more...
Upgrade your PCs to improve security
Information Security Infrastructure
Truly secure technology today must be designed to detect and address unusual activity as it happens, wherever it happens, right down to the BIOS and silicon levels.

Read more...
Open source code can also be open risk
Information Security Infrastructure
Software development has changed significantly over the years, and today, open-source code increasingly forms the foundation of modern applications, with surveys indicating that 60 – 90% of the average application's code base consists of open-source components.

Read more...
DeepSneak deception
Information Security News & Events
Kaspersky Global Research & Analysis researchers have discovered a new malicious campaign which is distributing a Trojan through a fake DeepSeek-R1 Large Language Model (LLM) app for PCs.

Read more...
SA’s strained, loadshedding-prone grid faces cyberthreats
Power Management Information Security
South Africa’s energy sector, already battered by decades of underinvestment and loadshedding, faces another escalating crisis; a wave of cyberthreats that could turn disruptions into catastrophic failures. Attacks are already happening internationally.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.