Organisations have never been more at risk from cyber attacks.
Recent high-profile attacks on companies including retail, media and industrial sectors have highlighted the scale of damage that is now being caused by hackers and cyber terrorists. And this growing threat comes at a time when there is also increasing focus on how organisations manage risk. Regulators, investors and senior executives are putting companies under pressure to explain how they identify risks to their business and how they ensure these are being managed within an agreed risk appetite.
What are some Key indicators for the board/senior management to consider focussing more on Cyber Risks faced?
There are some key indicators that you should look out for to see if your board / senior management needs to pay more attention to cyber risk:
- Cyber risk is reported by the IT department rather than by business units
- The board or management team has not been made aware of the biggest potential impacts of a cyber attack
- The board or management team has not been briefed at least once in a year about the types of attack that the company faces
- The organisation is planning or undertaking a digital transformation strategy
What is needed to tackle Cyber Risk?
Faced with this change in cyber risk and potential impact, companies must now progress from their existing IT risk governance approach and implement effective cyber risk governance. This elevates cyber risk as a principal business risk, collectively owned and managed by the organisation, and not simply a technical risk delegated to the IT department.
Unaware: IT risk governance
Too many organisations still have IT security buried within the IT department. The Chief Information Security Officer (CISO) is left to decide security levels in isolation from the actual business risks he or she is trying to manage, with little access to decision-makers at board level or to adequate funding.
Unaware of the risks, business units frequently perceive IT security simply as a cost and an obstruction and find ways to circumvent it. Similarly, they plan strategy and take business decisions with scant regard for the risk consequences. The lack of board involvement means the regime is not focused and board reporting is inaccurate; the organisation may not be complying with reporting guidelines and impending Financial Reporting requirements.
Managed: Cyber risk governance
Instead, organisations must implement a new governance process. Board members, senior managers and the CISO, must understand the severity of the cyber threat landscape and how cyber attacks could impact the organisation’s finances, business model, customers and reputation.
The most damaging impacts need to be identified as priorities for the business and the IT security team: it’s not enough to simply increase the security budget, the budget must be focused on the highest priority risks.
It is essential that the appropriate governance is implemented within a structure that suits the individual organisation’s corporate governance model, risk appetite and culture, business activities and specific threat landscape.
Embedded: Integrated risk governance
As the organisation improves its ability to manage cyber risk, the cyber governance process will mature and become more embedded in wider risk governance, integrating with related business processes e.g. resilience, business continuity, fraud management and crisis management. The increased maturity of governance will also enable the organisation to introduce more quantitative measurements and to exploit the use of software tools.