Achieving Enterprise Resiliency Requires A Cyber-Committed Board

Forbes 2 weeks ago

Today, 84% of the total value of the Fortune 500 is comprised of intangible assets. This means that for most major businesses, the value of digital assets, data and intellectual property (IP) is five times greater than that of physical assets. And the core DNA of their businesses, the thing that most needs protecting, lives in the virtual.

As those assets increasingly come under attack due to cyber hacking, fraud or negligence, companies find themselves scrambling to deploy more and more security controls — at a time when the forecasted worldwide security spend is expected to spike to nearly $134 billion in 2022. This trend represents an astronomical investment in defending against the rapidly escalating risk, but has yet to yield a deceleration of cyberattacks.

Against this landscape, the role of the board also continues to evolve — with an increasing expectation that board members bring a basic level of cyber competence to their roles. October was National Cybersecurity Awareness Month, so it seemed an appropriate time to share a few guiding principles that I believe are central to building and fostering cyber awareness, engagement and commitment at the board level.

Recognize cyber risk as a business risk.

Cyber risk is not an elusive, cryptic puzzle that cannot be clearly measured and articulated. The same thinking that we apply to corporate governance and managing financial, operational or legal risk can and should be applied to cyber risk. From setting the vision and establishing a framework for success to ensuring investment and overseeing auditing controls, these are the things that boards need to be doing in partnership with management — especially from early on in the operation.

Let’s use financial risk as an analogy. Not all board members are deemed financial experts, but they have competency in understanding the company’s financials, which controls are in place, which additional controls are needed and who is auditing the testing of these controls. The same framework should be applied to cyber risk. Where is the real value in the company, and what are the real risks to those assets? These two questions should be your starting point. From there, all of the same questions apply: Which controls are in place? Which additional controls are needed? How are they being tested, and how do we map against the industry? Will cyber risk be a topic across the board, within specific audit meetings, or within some other committee?

Know how to define ‘enough.’

Asking the right question, “Are we doing enough?” is critical. But sound cyber competence means also having the ability to answer the question. It requires the ability to define “enough” in the context of that particular business and the appetite for risk, as well as how to know if “enough” is really working. What makes this especially tricky is that there is no one-size-fits-all formula for measuring risk. It’s possible for an organization to spend an infinite amount on cyber protection and never achieve perfection. And this question can quickly start to feel like an unanswerable one.

I know this from my own personal experience. During my time at Citigroup, I had the opportunity to look deeply at online financial fraud. Similar to cyber mitigation, where you know you will never get to zero, it is important to understand what your level of risk tolerance actually is to help determine what success looks like. Given the nature and scope of your business, what is regrettable versus unacceptable? For example, a board would view employees having personal content on enterprise devices very differently from a nation-state attack or misused consumer data.

Boards should be having open discussions with management to determine where the lines need to be drawn, what is most important, what is achievable and in what investment envelope.

Make resiliency the end goal.

Resiliency, by definition, is the ability to bounce back. Achieving enterprise resiliency requires not just the ability to mitigate cyber risk, but also to respond, recover and heal quickly from both real as well as perceived damage.

When the call comes that you’ve been compromised, it cannot be the first time you're having a conversation about how to respond. Talking through things like escalations, communications, disclosures and communication to customers, partners and regulators, is a worthy exercise for the board and management to undertake together. What are the thresholds? How and when will it be communicated to the board? What are the board’s responsibilities in these scenarios? This is another area where external facilitators can play a helpful role.

As we move forward, enterprise resiliency will increasingly become core to a company’s agility in a crisis. Boards will continue to use acute cyber awareness to drive fundamental shifts in how organizations think about cyber risk and bring forward new ways to build successful, resilient enterprise security strategies.

Source link
Read also:
Sputnik International › 1 month ago
MOSCOW (Sputnik) - Australia and the Netherlands remain committed to achieving justice for victims of the MH17 plane crash in eastern Ukraine, Australian Prime Minister Scott Morrison said on Wednesday.
Forbes › 1 month ago
In a post digital transformation world, the self-driving enterprise or the cognitive enterprise might represent what's next.
Business Insider › Finance › 2 months ago
Ash Williams, the CIO of a Florida state board with $195 billion in assets, says enterprise software and technology is one of the few sectors that can resist slowing growth around the world. While some companies in that field have already seen their...
Chicago Tribune › 1 month ago
On the seventh anniversary of Superstorm Sandy, New Jersey's governor committed the state to a far-reaching plan to deal with climate change and protect itself from future storms.
Express › Politics › 1 month ago
PRITI PATEL has commended Boris Johnson for his work towards achieving an “impossible” Brexit deal.
Forbes › 1 month ago
By changing your behaviors and habits, you can dramatically increase the odds of achieving the most important things you want out of life.
UPI › Finance › 1 month ago
Technology giant Google has expanded on its claim of achieving quantum supremacy -- the ability to solve complex technical problems that contemporary computers cannot -- by publishing its research on the achievement.
One America News Network › 1 month ago
CAIRO (Reuters) - Iraq's shi'ite political leader Hadi al-Amiri said on Tuesday that he would work with Populist Iraqi Shi'ite cleric Moqtada al-Sadr on achieving the interests of the people and
Reuters › 1 month ago
Iraq's shi'ite political leader Hadi al-Amiri said on Tuesday that he would work with Populist Iraqi Shi'ite cleric Moqtada al-Sadr on achieving the interests of the people and saving the country, state media reported.
Hollywood Life › Lifestyle › 2 weeks ago
Achieving abs is a science, which Olivia Culpo walked HollywoodLife through. The model spilled on what has played 'a huge part' in achieving her toned midsection, in addition to explaining her daily meals and favorite workout programs.
Sign In

Sign in to follow sources and tags you love, and get personalized stories.

Continue with Google