By Stefan Deutscher, Partner and Associate Director for Cybersecurity and IT Infrastructure, Boston Consulting Group, and Daniel Dobrygowski, Head of Governance and Policy, World Economic Forum Centre for Cybersecurity
Is your company prepared?
In a business environment where a company’s reputation increasingly depends on how well it acts as a steward of customer, client and partner information, boards of directors must be able to make informed decisions about cybersecurity.
Boards exist, among many other important tasks, to set risk appetite, hold managers accountable, and create appropriate boundary conditions for employees to live up to the expectations placed on them. In an increasingly digital world, cybersecurity must be a key component of these responsibilities and business leaders need to set the example that cybersecurity is important for long-term resilience.
Here are five things that board members could do to enhance their company’s cybersecurity.
1. Learn about cyber risks
Board members don’t need to be experts in cybersecurity, but they do need to become more knowledgeable about cyber risk. Today, when only one-third of board meetings regularly cover cyber issues, this knowledge can be brought into the board in a number of ways. Tabletop exercises, “wargaming” cyber crises and other on-going training need to be part of every board’s common practice. Some companies, including those as varied as Hewlett Packard Enterprise, Goldman Sachs and Spirit Airlines, are adding an experienced board member responsible for cyber risk.
Boards also need to hear from internal and external cyber experts. Every major company would be wise to have an executive responsible for assessing and managing their cyber risk. They should, on a defined regular basis, report to the board and be able to do so frankly, with integrity.
2. Don’t assume your industry is safe
Financial services firms have long known that ensuring maximum cybersecurity is a vital corporate goal and critical infrastructure companies, like electricity utilities, have quickly adapted. Industries such as automotive, aviation and healthcare are also recognizing that their reliance on devices and the internet of things has vastly increased their likelihood of being the target of cyberattacks and as such have changed their risk profile.
But even across industries aware of the importance of cybersecurity, cyber resilience capability and maturity vary widely. And industries that have so far been less targeted for cyberattack, like the extractive industries, will need to improve their cybersecurity posture to protect IP and other private or confidential information.
3. Include cybersecurity from the start
It is no longer possible for companies to innovate first and provide for security and privacy second. When a company is considering adapting or, even more importantly, creating new technologies, boards must demand that these technologies conform to their cyber-risk determinations and that cybersecurity be included by design from the outset.
Artificial intelligence (AI), which can change and act in ways that even the creator cannot anticipate, will particularly challenge the risk assessments of even the most cyber-savvy board. For example, while many executives look to AI as a tool to strengthen cyber defence, which it certainly can be, they often don’t realize that AI is already being used by malicious actors as a tool for attack, and worse, AI itself can become a target of attack. Board members need to understand the degree of risk their companies can face with regard to AI.
Similarly, quantum computing is moving from science fiction to reality faster than mobile telephony did. Quantum computing not only has the potential for enormous value creation in certain use cases, but it also has the potential to obliterate many of the established forms of practical cryptography currently used in business environments to secure data and transactions. Companies concerned with data security must start preparing for what is called “post quantum cryptography” or encryption methods that do not rely on popular and common public-key algorithms that can be efficiently broken by quantum computers. Boards much ensure that their managers have their backing to experiment with these new methods to ensure future security.
4. Familiarize yourself with cyber ratings and assessments
For years, many corporate leaders believed that by adding yet another cybersecurity tool or service, their company would automatically become more secure. Today, with greater experience and sophistication, analysts can move from inputs (“what tools do they use”) to outcomes (“what do the tools achieve”) to effectively and accurately assess how well a company is ensuring its cyber resilience.
Boards will need to become familiar with cybersecurity and cyber-resilience ratings quickly. In a context where people want transparency about how well a company is protecting their data, cyber reputation is company reputation. Equally important, insurers, procurement departments and credit-rating agencies are understanding the significance of such ratings, using them and making them their own. In the very near future, ensuring effective cybersecurity will become a prerequisite for obtaining a reasonable insurance rate, a contract or a good credit score.
5. Embrace cooperation
Cyberattacks used to largely be the work of isolated individuals, such as criminals or hacktivists, but today they are increasingly caused by networked adversaries, such as organized crime groups and nation-state-backed actors, making individual defence consistently more challenging. As Stanley McChrystal, former United States Army General and Senior Fellow of Yale’s Jackson Institute for Global Affairs, , has said in reference to modern warfare, “to defeat a networked enemy we have to become a network ourselves”.
To succeed in managing the cultural shift that boards and their companies need to make if they are to thrive in the hyperconnected world of the Fourth Industrial Revolution, they can’t simply act alone. Boards of directors set company culture and they need to demonstrate from the top how to partner. This means taking an active role in working with peers at other companies and across their ecosystem to develop and share best governance practices.
It also means working with government leaders and ensuring that company management does too. For some companies, it may even mean becoming part of the new global architecture of cybersecurity cooperation, as evidenced by new alliances, such as the Charter of Trust or Cybersecurity Tech Accord, which are attracting hundreds of companies around the world. Moving forward, cooperation will be the key to success in a time of increased cyber risk.
This article is related to the World Economic Forum’s Annual Meeting in Davos-Klosters, Switzerland, 21-24 January 2020.
