Close up of hands of business people during a meeting

The Future of Cybersecurity Hinges on Boardroom Engagement Today

By Albert Chai, Country Manager, Cisco Malaysia

Cyber-attacks are increasingly sophisticated and discrete. Nation states and cybercriminal organisations frequently bankroll and mastermind these attacks with the aim of financial or political gain. If attackers have high-powered backing behind them, shouldn’t defenders as well? Isn’t it time that organisations’ top leaders are actively engaged in defence? Granted, the vast majority of enterprises have an executive with direct responsibility for security. But for modern businesses, security leadership needs to ascend even higher in the organisation: to the boardroom.

Recent hacking cases involving an aviation company and popular social media sites did little to boost confidence in the security of data uploaded online. More legislation and regulations related to data security, geopolitical dynamics, and shareholder expectations are all factors making cybersecurity an agenda item in the boardroom. A report by the Information Systems Audit and Control Association (ISACA) revealed that 55 percent of corporate directors now have to personally understand and manage cybersecurity as a risk area.Cisco CM Albert Chai

Given that in the modern economy almost every company runs on IT, an increased focus on cyber risk at the board level is a positive development, but one that is long overdue. Security is the business of every person in the organisation, from the chief executive to the newest hire, and not just personnel with “security” in their title or job description. Everyone should be accountable, and learn how to avoid becoming a victim.

In 2014, there were a total of 4,477 fraud cases, 1125 intrusion incidents and 550 cyber harassment issues in Malaysia. [1]There was also an alarming 351,094 Botnet Drones count and malware infections by a unique IP cases reported in the same year. [2] We must also understand that not all cases are reported, hence some users won’t event know that they have been affected by a cyber-attack We must take into account that these incident counts will not decrease if no action is taken to increase cybersecurity within corporations as well as individuals.

A core component to the future of cybersecurity will require greater engagement by the board. Corporate boards of directors across industries need to know what the cybersecurity risks to the business are and their potential impact.

To truly understand the scope of cybersecurity issues that affect the organisation, we will likely see a rise in the number of CIOs and even CISOs on corporate boards. The phenomenon of external factors influencing board makeup isn’t new. In the previous decade, we saw a dramatic increase in the number of CFOs serving on corporate boards as a direct result of the global financial crisis and an increasingly complex regulatory environment.

With members that bring technology and cybersecurity expertise, boards can start getting answers to tough questions about security controls:

  • What controls do we have in place?
  • How well have they been tested?
  • Do we have a reporting process?
  • How quickly can we detect and remediate the inevitable compromise?

And perhaps, the most important question: What else should we know?

Even if they don’t currently hold a board seat, CIOs and CISOs need to be prepared to answer these questions from the board in terms that are able to outline business implications. They must be comfortable speaking about business strategy as they are about technology and security strategy. New business models like direct to consumer, expansion into new channels and regions, and shifting supply chains can create significant business opportunities but also pose potential risk. Addressing how technology and security must align to support these models with budgetary concerns and risk management is critical.

Technology and security leaders must also possess knowledge of regulatory requirements and standards to help the board navigate and comply with new mandates. Insights into industry and technology trends, as well as strategies and experiences of similar organisations help provide board members with a frame of reference to evaluate current security postures and validate controls.

How to communicate is important as well. Every message should be delivered clearly, briefly, and with minimal technical jargon. For example, it’s expected that CIOs and CISOs understand threats and how the most recent attacks were successful. But translating the impact of those attacks into relevant business terms such as lost revenue, productivity, or profitability will help ensure the consequences are understood.

Cybersecurity as a boardroom topic is not only a good thing, it is a necessity. As defenders, it gives us an opportunity to better educate the highest levels of leadership on the cybersecurity issues facing the business. With that knowledge, boards are equipped to make more informed security and risk management decisions and, together, we can better protect valuable assets while achieving business goals.

[1] MyCERT Incident Statistics – General Incident Classification

[2] MyCERT Incident Statistics – Botnet Drones & Malware