Hadley Baldwin
As cyber attacks become ever more prevalent, sophisticated and damaging, CEOs are asking: how can we strengthen our security and readiness to respond? But it can be difficult to make sense of these increasingly complex risks, weigh up the threats and target finite resources where they can be most effective.
The resulting questions for you as a CEO include:
Effective cyber risk management requires both cyber security – the ability to reduce the risk of a cyber attack – and cyber resilience – the ability to detect, respond and recover from a cyber attack.
The ‘right’ approach demands balance – setting a cyber risk appetite that balances the organisation’s value chain and strategic differentiators with necessary controls. It also requires clear definition and understanding of the cyber risks as business outcomes, so they can be clearly understood in the context of your overall business strategy. By understanding the likelihood and impact of these outcomes, the cyber threats are defined, distilled and communicated in a way that you and your executive team can comprehend and build into business decision-making.
You will be able to have conversations about whether to invest in preventative controls (to reduce the likelihood of a cyber incident happening) or responsive controls (to reduce the impact of a cyber incident when it does happen). Our clients often find that they reach a return-on-investment ceiling when it comes to preventative controls; it becomes prohibitively expensive to invest more in reducing the likelihood of an attack. Therefore, many of our clients choose to focus more on responsive controls. Executive teams and Boards need to be well-drilled on incident response plans to be confident in detecting, responding and recovering effectively to a major cyber incident.
Hiring a good CISO with the right mandate and trusting them to get on and deliver is key to building cyber resilience. However, positioning the role of the CISO and cyber security function appropriately is not always straight forward and there is no single right answer.
Should they report to the CFO, CIO, or other? Is the role accountable to the Board and audit and risk committee? Is the role to set policies and standards (for other functions to meet) and then provide governance and assurance, or is the role to actually deliver cyber security? Is it a head of IT security, or a fully-fledged role across all aspects of cyber and information security, including human risk factors (awareness and training) and data governance?
All these models can work, and the right fit for your organisation depends on the nature of your business, your approach to enterprise risk management, your risk appetite, and the other structures you have in place. In any case, the roles and responsibilities for managing and delivering cyber security capabilities must be clearly defined and understood by all those involved.
In the face of continually evolving cyber threats, it can be hard to maintain an intelligible view of the risks you face. Are you getting the ongoing reporting and assurance you need that the risks are defined, understood and being managed effectively? You should be having productive, proactive discussions across your executive team and risk management committees about this. If you’re getting lost in technical jargon, or if you’re not clear about whether your risk exposure is acceptable or not, you’re likely to find it difficult to meet shareholder and regulatory demands. You’re also likely to need improvements to your cyber risk and resilience management processes.
As the public face of your organisation, it’s important that you as a senior leader understand and have confidence in how the organisation will internally align in the event of an attack. As described above, you must be well-drilled on your incident response plans to be confident of detecting, responding and recovering effectively to a major cyber incident.
This includes ensuring your executive team and Board are all clear on their specific roles in incident response. It’s also important to be clear about the key messages you will need to relay as a leader ‘in the moment’ to an attack and later to rebuild confidence with employees, shareholders and regulators once the incident has been addressed. For example, having up-to-date incident response playbooks with pre-built scenarios and draft communications will help you to execute this if the real thing happens.
At Berkeley, we have experience of helping leadership teams answer these questions through all stages of their cyber journey. We can help you to:
Discover the key cyber-related questions other members of your leadership team should consider
Know the right questions to ask to cut through the jargon. Read more.
Ensure external stakeholders are satisfied. Read more.
Ensuring your supply chain security. Read more.
Improve your ability to navigate the cyber landscape. Read more.
Enhance your security and risk management. Read more.
Allocate the right roles and responsibilities. Read more.
Create a culture of security across your organisation. Read more.
Share: