Today, 84% of the total value of the Fortune 500 is comprised of intangible assets. This means that for most major businesses, the value of digital assets, data and intellectual property (IP) is five times greater than that of physical assets. And the core DNA of their businesses, the thing that most needs protecting, lives in the virtual.
As those assets increasingly come under attack due to cyber hacking, fraud or negligence, companies find themselves scrambling to deploy more and more security controls — at a time when the forecasted worldwide security spend is expected to spike to nearly $134 billion in 2022. This trend represents an astronomical investment in defending against the rapidly escalating risk, but has yet to yield a deceleration of cyberattacks.
Against this landscape, the role of the board also continues to evolve — with an increasing expectation that board members bring a basic level of cyber competence to their roles. October was National Cybersecurity Awareness Month, so it seemed an appropriate time to share a few guiding principles that I believe are central to building and fostering cyber awareness, engagement and commitment at the board level.
Recognize cyber risk as a business risk.
Cyber risk is not an elusive, cryptic puzzle that cannot be clearly measured and articulated. The same thinking that we apply to corporate governance and managing financial, operational or legal risk can and should be applied to cyber risk. From setting the vision and establishing a framework for success to ensuring investment and overseeing auditing controls, these are the things that boards need to be doing in partnership with management — especially from early on in the operation.
Let’s use financial risk as an analogy. Not all board members are deemed financial experts, but they have competency in understanding the company’s financials, which controls are in place, which additional controls are needed and who is auditing the testing of these controls. The same framework should be applied to cyber risk. Where is the real value in the company, and what are the real risks to those assets? These two questions should be your starting point. From there, all of the same questions apply: Which controls are in place? Which additional controls are needed? How are they being tested, and how do we map against the industry? Will cyber risk be a topic across the board, within specific audit meetings, or within some other committee?
Know how to define ‘enough.’
Asking the right question, “Are we doing enough?” is critical. But sound cyber competence means also having the ability to answer the question. It requires the ability to define “enough” in the context of that particular business and the appetite for risk, as well as how to know if “enough” is really working. What makes this especially tricky is that there is no one-size-fits-all formula for measuring risk. It’s possible for an organization to spend an infinite amount on cyber protection and never achieve perfection. And this question can quickly start to feel like an unanswerable one.
I know this from my own personal experience. During my time at Citigroup, I had the opportunity to look deeply at online financial fraud. Similar to cyber mitigation, where you know you will never get to zero, it is important to understand what your level of risk tolerance actually is to help determine what success looks like. Given the nature and scope of your business, what is regrettable versus unacceptable? For example, a board would view employees having personal content on enterprise devices very differently from a nation-state attack or misused consumer data.
Boards should be having open discussions with management to determine where the lines need to be drawn, what is most important, what is achievable and in what investment envelope.
Make resiliency the end goal.
Resiliency, by definition, is the ability to bounce back. Achieving enterprise resiliency requires not just the ability to mitigate cyber risk, but also to respond, recover and heal quickly from both real as well as perceived damage.
When the call comes that you’ve been compromised, it cannot be the first time you're having a conversation about how to respond. Talking through things like escalations, communications, disclosures and communication to customers, partners and regulators, is a worthy exercise for the board and management to undertake together. What are the thresholds? How and when will it be communicated to the board? What are the board’s responsibilities in these scenarios? This is another area where external facilitators can play a helpful role.
As we move forward, enterprise resiliency will increasingly become core to a company’s agility in a crisis. Boards will continue to use acute cyber awareness to drive fundamental shifts in how organizations think about cyber risk and bring forward new ways to build successful, resilient enterprise security strategies.