Cyber security – boardroom responses
December 2014 | FEATURE | RISK MANAGEMENT
Financier Worldwide Magazine
Companies operating in the modern business climate appear to be doing so amid increasingly hostile conditions. Not only do many firms have to contend with more stringent compliance obligations, they also must face up to a wide variety of cyber security threats. From disgruntled employees to malicious hackers and the whole gamut in between, IT and the internet is frequently being co-opted and turned into a potent weapon which can cause untold damage to companies, their clients and their reputation. For many firms, addressing these challenges can be an arduous task.
Regardless of the size of a company’s operations, it can be susceptible to cyber attacks. From small, family-run businesses to multinational corporations, there must be an increased emphasis on tackling cyber crime, and managing IT functions. Protections need to be put in place, with the tone set at the top. Boardrooms must have the right people disseminating the right information at the right times. The chief executive must play a pivotal role in driving the company’s overall cyber security and compliance strategies. However, in many respects the CEO should be guided by both the chief technology officer (CTO) and the chief information officer (CIO). Both positions have become integral to the modern C-suite and are essential for the ongoing fight against cyber criminals. Between the CIO and the CTO, virtually all aspects of the company’s technology and systems should be covered. In some cases there can be crossover in the remit of these two positions.
The coming of the so-called third platform of computing – the next phase of computing built on new, emerging trends such as mobile computing, social networking, cloud services, and Big Data analytics technologies – has meant that more and more companies are susceptible to cyber risk. Indeed, over the last few years it has been dragged into the mainstream media narrative thanks to a number of high profile attacks on prominent businesses. Recently, multinational US bank JP Morgan Chase & Co became the victim of one of the largest cyber attacks ever recorded, in terms of customers affected. Hackers compromised JP Morgan’s databases and accessed the names, addresses, telephone numbers and email addresses of 76 million households, or just under two-thirds of the total households in the US. Although the bank insists that the personal data of its clients was not compromised or accessed by the hackers, the attack serves as a timely reminder that today’s business environment is a dangerous and aggressive place. The breach, which comes less than a year after high-profile attacks against retailers Target and The Home Depot, which saw the credit card information of tens of millions of customers stolen, reinforces the need for vigilant and robust cyber security across the board.
E-commerce website eBay was also hit heavily by a headline-grabbing breach of cyber security. This resulted in the theft of around 145 million usernames and encrypted email addresses. Software bugs such as ‘Heartbleed’ and ‘Shellshock’ have also received extensive media coverage throughout the year, further reinforcing the world’s cyber threats.
However, despite the rising profile of cyber security, many businesses do not fully understand the scale of the problem they face. According to a recent EY report, just under half of respondents believed cyber crime was a serious threat. In countries such as Singapore, the Netherlands and Canada, only around 35 percent held the opinion that cyber security poses a genuine threat. Unfortunately, attitudes towards cyber security only really change after the fact. In order to tackle the rise of cyber criminals, firms must be more proactive and strategic in their response to challenges in this area.
The ubiquity of the internet offers innumerable benefits to firms and their clients. But it also presents companies and their executives with new challenges. In many respects, it has never been harder for the C-suite to successfully lead companies down the right path. Many firms are still attempting to readjust their businesses following the fallout from the financial crisis and the subsequent economic downturn. The crisis heralded broad regulatory and legislative changes which have had a transformative effect on different operational areas. Businesses have also been required to contend with changes such as the blossoming of internet communications and social media.
Technological advancements have certainly made it easier for companies to communicate with their clients and the general public. But communications technology has also come to represent one of the biggest threats to firms and their future profitability. Interaction with customers and clients via the internet and social media are a necessary but risky endeavour. Companies that mismanage their communications strategies in the digital age run the risk of serious reputational damage. The emergence of the third platform adds a new set of challenges associated with Big Data, analysis and security.
In isolation, changes of this magnitude can be manageable. However, since the financial crisis took hold in 2007, the pressures faced by the C-suite have made life particularly difficult. It is here that the CTO and the CIO come into their own.
The role of the CTO is arguably one of the least understood and defined roles in the modern boardroom. But despite the confusion surrounding the position, it is rising to prominence. In 2009, the US government selected its first ever CTO in Aneesh Chopra, appointed by President Obama. Megan Smith, who previously served as VP of Google X, was recently appointed the country’s third CTO. At the governmental level, the CTO is responsible for analysing the administration’s tech policy issues as well as the government’s own technology platforms, and trying to promote innovation and entrepreneurship around the country. Clearly, the CTO has never been more relevant. In August 2013, the US Department of Homeland Security appointed the former CTO of security firm McAfee as head of its cyber security division.
A CTO’s responsibility is to provide overall awareness of technologies that can be used to advance the mission of the wider organisation. Moreover, the CTO should be responsible for directing a company’s overall technology policy. Identifying opportunities and business risks, monitoring technological developments which could ultimately impact the firm, and handling corporate governance and compliance standards are just a few of the major responsibilities which fall within the CTO’s remit. The CTO must have a deep understanding of technology and how it will affect their firm. Often the CTO is also responsible for the creation and protection of valuable intellectual property. IP can present CTOs with significant challenges, as any IP valuable to the organisation needs to be closely guarded.
CTOs have a wide ranging remit, and the executive occupying this position needs a full grasp of its gravity. A company’s CTO should be able to prepare the business for the next phases of its technological development, and manage the challenges and opportunities that will accompany this process.
The CIO is often charged with driving competitive advantage, strategic change and innovation throughout their firm. The role has become more central to companies and their profitability in recent years – particularly as IT functions become more pervasive. Much like the CTO, the CIO will be required to help realise the organisation’s information and technology vision in accordance with the shifting sands of the tech and cyber security sectors.
Cloud computing is one area most likely to come under the purview of the CIO. The cloud represents the future of data storage. Many companies have already migrated their data to cloud architecture. As the third platform takes hold in the future, many more will follow suit. There are too many positive factors associated with cloud storage, including lower IT costs and increased efficiency, for it not to be a major part of computing, and therefore business, for a long time to come. Furthermore, as we enter the next phase of the internet – the so-called ‘internet of things’ – the cloud will be even more important. Despite the many advantages of the cloud, perceptions of the technology can be rather mixed. Its potential vulnerability to hacking has heightened mistrust of the technology. Recent high profile attacks against Apple’s iCloud servers, for example, brought cyber security and cloud vulnerability to public attention in a way that hacking of corporate cloud storage companies never could.
Yet despite these security issues, for the CIO the cloud can offer a number of important opportunities. A firm’s CIO should prudently evaluate all IT functions as potential candidates for cloud computing and be prepared to identify new business opportunities that will deliver the best return on investment. It is here that the CIO can have a significant say in helping to determine a company’s response to cyber threats. Not every facet of a modern business is suitable for cloud computing. Some of a company’s most critical business areas from a data privacy perspective may be deemed unsuitable for the cloud. The security of customer information, for example, is a key area of concern.
Once at the periphery of the C-suite, CIOs and CTOs are now emerging powers in corporate boardrooms. Both are central to the fight against cyber crime. Both have developed into crucial partners for the CEO. For the modern business, the CTO and the CIO provide a pivotal link between IT enablement and security and risk management. By fostering closer cooperation between the CEO, the CTO and the CIO, firms are much more likely to realise the benefits of their strategic initiatives.
The CIO and the CTO can often find themselves at loggerheads within an organisation. However, a positive, productive working relationship between the two can yield benefits. Synergy between the roles can help organisations to understand and harness the power of emerging technologies and to address their cyber security implications along the way.
© Financier Worldwide