The UK Government recently announced plans to fine companies up to £17million for not having strong enough measures in place to protect themselves from cyber security breaches.
Yet, while KPMG’s latest annual global CEO survey highlighted that cyber has rocketed to the top of leaders’ recognised risks, almost three quarters believe their business is not fully prepared for a cyber event.
Recent victims include the NHS, UK Parliament, Renault and pharmaceutical provider Reckitt Benckiser, and data from research giant Gartner predicts that 60% of digital businesses will suffer service failures as a result of IT security issues by 2020.
>See also: Shift in cyber security pressures from boardroom to individuals
Getting it wrong can not only be catastrophic for a business, but its leadership too. Marissa Mayer, formerly of Yahoo and Dido Harding ex-CEO of TalkTalk, are both no longer in position following damaging data breaches that saw customers switch providers and reputation, shares and profits dive.
These are prime examples of not only the risks for a business, but also to c-suite professionals likely to take the hit, in some cases beyond recovery, for their company’s cyber problems.
Although keeping abreast of digital change is challenging for even the most talented cyber security professionals, due to the speed of advancements, there are a number of key considerations for leadership.
The focus should be on ensuring process, people and technology work harmoniously to mitigate threats posed by cyber attacks as well as embedding these principles into the commercial operations of the business.
Playing risk
True cyber security goes beyond how secure a business can make its systems and data. More importantly, it’s about understanding all of the information available and managing an appropriate level of risk.
For organisations of scale including financial services, home to high levels of customer and operational data both critical to performance and consumer trust, dedicated safeguarding roles such as chief information security officer (CISO) have emerged.
>See also: The changing role of the CIO and boardroom in 2017
Initially a technical role, the rise of the CISO has come about through increased board education on the commercial impact of systems, processes and people with the wrong risk profile.
Not every firm has capacity for a CISO, with the security remit falling to a CIO or CTO in cahoots with the CFO. Regardless of business size, an essential skill required of any elected security leader is the ability to break down silos and work with other board members and management, to unpack the implications of risk to their function or business unit.
Where CIO’s have stepped outside of a pure ‘IT’ agenda enabling commercial growth and transformation, the CISO must follow. CISO’s must have a full and deep understanding of the business’ data portfolio, preventing a scenario in which vulnerable data is unaccounted for, or left exposed.
As threats evolve faster than the technology and policy to counter them, CISO’ and other cyber security leaders must maintain activities to pre-empt risk, identifying and addressing gaps and the data within them. Managed and maintained effectively, any data lost should be less critical.
Culture, collaboration and contingency
As regulation surrounding cyber security continues to increase, leadership success lies in making sure the issue of data security has the right profile within an organisation. Top-down is the only way to win this battle.
Previously, IT leadership roles were technical and sometimes isolated, with individuals largely responsible for managing the practical technical solution. While there is still a need for this, the impacts of cyber and information security are now far reaching, touching most aspects of a business and as a result, must be embraced by all board level leaders.
>See also: A digital divide in the boardroom
Case in point is Warren Buffet, Chief Executive of multinational conglomerate Berkshire Hathway, who recently cited cyber attacks as the number one problem.
For CISO’s this presents an opportunity to work with wider leadership teams to embrace ownership of risk and response in their area, before providing predictive, preventative and pragmatic activities to mitigate cyber threats.
Yet, while security is a priority for all businesses, for those that are part of a customer focused value chain, leadership must evaluate all of the links where data may be vulnerable.
In sectors such as banking, consumer data flows between retailers, payment networks and banks. If one link is secure, but others are not, all companies in the chain are at risk to breaches and the potential damages that can ensue.
Security leaders should be capable of working collaboratively to ensure all of the whole business can withstand cyber threats, as well as continuously evolving to satisfy the increasingly complex regulatory landscape.
Similarly, firms with an international footprint must unite across borders to comply with different legislative demands such as the EU’s upcoming GDPR and the Financial System Analysis and Resilience Centre in the US.
>See also: Will investment in the UK’s cyber defence system make a difference?
As recent months have shown, no organisation’s systems, protections or procedures are perfect and few would be assured enough to label themselves ‘immune’ to cyber threats.
A crucial skill required of security leaders is that of their response to an incident; rapidly mobilising both their own and partners’ technical resources to manage incidents and in worst case, recovery.
CISO’s must have for the raw leadership skills, to face attention from the market and within. They must deal cooly with voluminous demands to restore services in line with a commercial imperative, while ensuring the ongoing protection of the business.
Commercial thinking
The rhetoric surrounding cyber security is known for inciting fear in business leaders and while data is hard to put on a balance sheet, it is unquestionably a high value critical asset to almost every business.
Cyber security grabs the largest headlines when there are breaches of customer data as people tend to feel the risk personally and demand action. But as the recent case of breaches of product security such as those surrounding HBO & ‘Game of Thrones’; all digital and information assets are subject to threat of nefarious exploitation.
>See also: Prevention, detection and incident response: the cyber security industry
From the IP for a new drug, to an innovative engineering process or product patent, cyber security professionals are at the very heart of maintaining market share, and enabling businesses to remain competitive.
Businesses are relentlessly becoming ever more digital. Cyber security success lies in having dynamic functional leadership that unites the board, through an understanding of business & technology risk, while at all times enabling nimble commercial action.
Cyber security needs a focal point, be it CISO, CIO or CRO, but it must be understood as a ‘whole board’ issue. The days of protection alone are long gone, cyber is all about competitive advantage, differentiation, and the assurance of customer and commercial value.
Sourced from Matt Cockbill, IT and digital leadership specialist at executive search firm Berwick Partners
