Board-Level Cybersecurity Discussions Must Be Proactive, Have Substance, and Inspire Real Change

By Gordon Tucker, Managing Director
Technology, Media and Communications Industry Leader

 

 

 

Cybersecurity is a hot topic in most boardrooms today. Not a shocking revelation, certainly. But keep in mind that, in many organizations, it has taken a long time for this issue to even become an agenda item for the board. Among them are technology, media and communication companies, which should be helping to set the standard for cybersecurity best practices. Many of these companies are doing that, of course, but others still have a lot of work to do.

While it is good news that more boards of directors are talking about cybersecurity, there is a problem: These discussions are too often prompted by a headline-grabbing data breach or hack that has rattled the business or its peers in the industry. This reactionary approach needs to change if boards and executive management truly want their organizations to be prepared to weather a cyberattack or other disruptive cyber event, and its potential consequenses.

Success in a digitized world hinges on effective cybersecurity

Taking a more proactive view toward cybersecurity will also help businesses to succeed in a digitized and hyperconnected Internet of Things (IoT) world. At the World Economic Forum’s annual summit in Davos, Switzerland, this year, cybersecurity experts discussed how this rapidly emerging world will help businesses to reach new heights of productivity — provided they build effective cybersecurity.

This future is not far off, which is why there is an urgent need for boards and executive management to change how they talk about cybersecurity. They need to focus less on worrying about the potential reputational or financial risks of a single embarrassing cyber incident, like a phishing campaign that targets the CEO, and focus more on helping the business define and develop an overarching set of activities that will help it create a stronger, more resilient security environment.

Board engagement as a cybersecurity success factor

For those boards that still view cybersecurity as primarily an “IT problem” — and they are still out there — Protiviti’s 2017 Security and Privacy Survey presents some findings that should help to change at least a few minds. The research found that organizations that are top performers in terms of adhering to security and privacy best practices have two critical success factors present:

  • Their boards of directors have a high level of engagement in, and an understanding of, information security risks that the organization faces.
  • They have a comprehensive set of information security policies in place, including acceptable use policies, data encryption policies, and social media policies.

One-third of businesses surveyed describe their boards as highly engaged with information security risks. This is a five-point increase from the 2016 survey. Protiviti’s survey report notes that this positive trend “reflects the fact that the [information security] issue is not merely about technology, but rather represents a top strategic risk” for today’s businesses.

Fostering more meaningful discussions

In addition to seeing security as just an IT’s problem, another reason many boards fail to have meaningful cybersecurity discussions is the sheer complexity and tremendous scope of the issue. Technology touches almost every aspect of the business, and cyberthreats that target systems and data are growing in sophistication. IT teams themselves struggle to understand the rapidly evolving cyber risk landscape.

Another problem: Boards are often provided information about cybersecurity risks that is far too technical. Cyber risks and recommended solutions for addressing them are not being described by technology leadership in business terms that the board can swiftly analyze and make decisions on.

In our 2017 Security and Privacy survey report, we recommend that technology leaders take care to clearly communicate relevant security matters to all stakeholder audiences. For boards, in particular, they should provide information in nontechnical terms to the extent possible, and prioritize discussion of issues based on the business risks that each risk poses to the organization.

By the same token, Protiviti’s security experts who authored the survey report advise boards to start “asking more, and more detailed, questions about organizational security efforts.” These questions, which should be posed to business, technology and internal audit leaders alike, should include:

  • Do we know how the company’s critical data is collected, stored and analyzed?
  • What framework or activities does the business have in place, or is it developing, to help protect our data and our intellectual property?
  • How is the success of those activities measured?
  • If the organization experiences a significant breach, what is the response plan?
  • How are employees trained on cybersecurity issues, how often and by whom?

These are just some examples of baseline questions that can help boards at technology, media and communication companies begin to have more productive and forward-looking conversations about cybersecurity with the business. More important, these questions will help to lay the groundwork for proactive discussions about emerging risks around digitization and the IoT — the next major technological challenges that technology, media and communication businesses must be fully prepared to face if they are to survive.

Eliminating Blind Spots: Shifting Risk Focus from Technology to Business

Ed Page - Protiviti ChicagoJonathan WyattBy Ed Page, Managing Director, FSI IT Consulting Practice Leader, U.S.

and Jonathan Wyatt, IT Consulting Practice Leader, UK

 

Most organizations are critically dependent on technology to operate in the modern world. For these organizations, technology risk management often becomes a one-dimensional exercise: an obsession with the technology rather than the business it supports.

Consider an IT-centric metric such as “99.9 percent server availability.” The metric sounds interesting, perhaps even impressive, but it is insufficient on its own. What is critically missing is a business risk management perspective: What are the potential business consequences of the 0.1 percent of the time the server is unavailable? This is the question that really needs to be answered.

Comprehensive, detailed assessment of risks requires aligning technology risk management and business risk management. Achieving this goal is not easy, but it is essential to establish a transparent and understandable link between the two elements to better achieve company objectives.

The general steps required to achieve an effective alignment of the two perspectives include:

  • Identification of key business services
  • Mapping of IT services to business services
  • Monitoring, measuring and managing the risks this process identifies

Take, for example, a major global bank that spent significant time identifying, managing and massaging its technology risk factors. Its efforts focused singularly on incidents, by tackling questions such as: How many incidents occurred? What was their duration? How long did it take IT to recover from the incidents?

But a different exercise – refocusing efforts on the success rate of completing transactions instead of the incidents impacting availability of the system – led to surprising insights. Though the reduction in incidents was helpful, the bank discovered that planned maintenance windows, which temporarily prevented transactions from occurring, had a greater impact on the number and success of online transactions. Immediately, the bank’s IT function redirected efforts to reduce the number and duration of the maintenance windows. This resulted in redesigned architecture and practices, which yielded a positive effect on transaction success rates.

As illustrated by the bank’s initial attempt, a misaligned technology risk approach often yields isolated and less-impactful results. Instead, by starting with the examination of a business service and working backward to IT, companies can identify and quantify risks that were more relevant to business success.

Some key signs of misalignment companies should watch for are:

  • Technology risk reporting that is performed for reporting’s sake or seen as a compliance exercise
  • Technology risk metrics expressed solely in IT terms (e.g., server or network availability, number of incidents)
  • Confusion about prioritization of IT investments

As companies begin to work toward alignment, it is important to remember that the process may take time. Misalignment is so prevalent because it runs deep and is often embedded into IT organizational processes and habits. Fixing this requires patience and organizational fortitude.

Once implemented, however, risk alignment not only leads to operational efficiencies, but yields other positive byproducts, such as facilitating IT funding requests. Budget increase requests tied to improving specific or critical business operations are likely to be considered more seriously than requests for general IT asset improvements.

Ultimately, alignment of IT and business needs leads to a more nimble organization that is better equipped to manage emerging technology risks and support innovation vital for success.

ORSA: Getting Ready for the 2015 Summary Report

Last week, we published a new white paper on the upcoming Own Risk and Solvency Assessment (ORSA) requirement for insurers in 2015. ORSA is a key part of the Solvency Modernization Initiative of NAIC. For the insurance industry specifically, the ORSA challenges organizations to think about their solvency and risk management processes as part of their overall risk strategy, instead of just once a year when filing the report.

In this white paper, we provide an overview of the ORSA requirement and guide you through the ORSA process and report.  We examine the risk management frameworks of leading insurance companies for common traits and issues, such as the lack of integration among various risk frameworks inside organizations. Readers can benefit from several specific suggestions aimed at helping insurers replace the traditional risk management process with a forward-looking one that embraces a more comprehensive enterprise risk management framework, as well as considers the organization’s solvency and capital adequacy. The hope is that by assessing risk in a continuous, future-oriented manner, companies can avoid repeating some of the mistakes and excesses that led to the turmoil of the financial crisis.

Jim