Cyber resilience: it’s a board level issue
The problem with cyber resilience is in the name. When it comes to managing the risk posed by potential hackers and the requirement for robust testing and defence protocols, it is often frequently parked under the responsibility of the IT department. But cyber resilience is not simply something for the IT department to worry about: it should be a cause for concern for the whole board. It is a business consideration, not simply an IT one, affecting business continuity and the bottom line as well as having the potential to damage an organisation’s reputation and the very core of its business operation.
Yet recent research by management consultancy Deloitte reveals that only one in five FTSE 100 companies share detail of their testing and online business protection plans with their boards on a regular basis. In fact, the research shows that only 21 per cent of UK Blue Chip businesses regularly share security updates with their boards.
There may be good reason for this. At first glance, providing details of their penetration testing strategy, which identifies vulnerabilities within their IT systems, may be thought to provide potential hackers with valuable information. But this outlook is simplistic. Boards and investors require the reassurance that a meticulous and robust cyber resilience strategy is in place, even though they do not, and should not, require precise detail.
A more likely reason for the low profile of cyber resilience planning is the much-publicised skills shortage of cyber expertise within organisations. Deloitte found that only 8 per cent of companies had a member of the board with specialist technology or cybersecurity experience. A similar figure applies to the number of companies that also disclose having a Chief Information Security Officer (CISO) within their executive team. But if the IT department is not equipped or does not have C-Suite influence, then there is a huge potential problem. Boards should therefore look to supplementing their resource with skilled professional expertise with the required skillset and the capability of engaging board level involvement.
This is simply applying the same resource to the IT department which other departments already have. The financial department has board level representation and external expertise in the form of professional accountancy firms. No one expects the legal department to handle all the organisation’s legal requirements; professional and specialist expertise is required. A similar level of resource should be provided when it comes to cyber security. Not only should the CISO have board-level influence, but they should be supported by experienced professionals. Cyber resilience specialists have a much wider range of knowledge and experience than just one organisation, and are able to add significant value. This is not only because they can direct expenditure to meet precise requirements, but also because they can anticipate future threats.
While IT departments may currently be adequately resourced to manage on a day-to-day basis, it is not enough to simply protect against known threats. Penetration testing must go several steps further because organisations are vulnerable to a vast range of threats which are unknown and unforeseen. Experienced professionals will use a combination of automated testing, to identify the threat areas, and manual testing to develop, explore and investigate these vulnerabilities. Only in this way can organisations have any level of defence against unknown threats.
Every member of the board has an invested interest in the development and delivery of a robust cyber resilience strategy. If in doubt, each and every member of the board should ensure that it is on the agenda at every board meeting.
SRM has an unrivalled reputation in the delivery of all types of information security, including cyber resilience. With a keen awareness of how organisations operate, our team works with minimal disruption and maximum effect, providing an outstanding level of defence. However, no one can (or should) provide total guarantees; but be assured that having a retained expert with a detailed working knowledge of an organisation’s systems, means that meticulous mitigation plans will be in place and swift remedial action taken in the event of an attack, reducing its impact and minimising its disruption.
For more information on our consultancy services see our website.
Our see our blog:
For a no obligation discussion about how SRM can support your business, contact Mark Nordstrom on firstname.lastname@example.org or phone 03450 21 2151.