Leading cyber security from the boardroom
April 2017 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
According to Elizabeth Denham, the UK Information Commissioner, “Cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because it is their duty under law, but because they have a duty to their customers”.
There is more than one reason to be pleased when you read Ms Denham’s concise appraisal of business’ responsibility when it comes to cyber security. Firstly, her assertion is correct and this is a topic that information security professionals have been trying to engage with business leaders on for years. The fact that it is such an influential person underlining this issue and its resulting vulnerability (not to mention her ability to levy fines on the organisations that fail) is very encouraging, especially for those seeking widescale improvement in cyber security practice. It is also encouraging because this quote was posted on the networking platform, LinkedIn, by a specialist in the physical security realm. We are now used to seeing information and cyber professionals talk about the need for board-level leadership and engagement in and with cyber security, but it is relatively rare to find physical practitioners holding an opinion on how organisational cyber posture could be improved. It shows that this vital message is becoming embedded and we can only hope that this will start to yield the change in business culture that we so obviously need.
Peter Drucker once memorably said, “Culture eats strategy for breakfast”. In other words, what people actually do on a day to day basis will dictate culture and that will eventually become policy; in the absence of policy, it will dictate how people behave and where poor, unworkable or unenforced policy exits, culture will supersede it. In cyber security, this is definitely the case. New employees will fall in with existing culture because they see it around them all the time and so we can potentially reach the point of our security posture effectively being defined by what has always happened, rightly or wrongly and by what everyone else does. Culture starts in the boardroom. Management adopts behaviours and habits they see from their senior directors, so we need to make sure those behaviours and habits are of demonstrably good quality. The problem is that when it comes to our boardrooms, directors do not always handle their own sensitive information very well, never mind customer, supplier or employee information. According to Thomson Reuters, almost 80 percent of respondents to their board governance survey said that they used private, non-corporate email accounts such as Yahoo, to send sensitive board documents, with 56 percent saying they printed and carried this information around with them. When it came to destroying printed and emailed sensitive board documentation in line with retention policies, 40 percent said that they were not confident or did not know if this was standard behaviour. Not surprisingly, cyber security information is the least requested information by boards according to this research, with only 32 percent requesting it. Can you imagine a boardroom meeting that did not request financial risk information? Or the board not being interested in the risk posed by high staff churn?
Part of the issue is communication. Communicating cyber security issues needs to be done with absolute clarity and we all know that this is frequently not the way it happens. According to Bay Dynamics, only one-third of IT and security executives believed that the board understood the cyber security information provided to them. Disconnection does not end there, however, as board members reported conflicting questionnaire responses to their reaction to security information they receive regularly. On one hand, 70 percent of respondents said they did understand this information, yet 70 percent also said the information they received was too technical. One of these is true, given that two in five did not believe risk was reduced as a result of this information; our guess is the latter. So the boardroom challenge is clear: adapt or accept an exponential increase in levels of risk and the consequences when the General Data Protection Regulation (GDPR) takes effect next year. There will surely be plenty of discussion around those consequences.
Expanding on why we should be pleased to see a physical security specialist using this quote, it offers hope for successful collaboration between disciplines. Because our businesses are connected through more than just our corporate email systems, we have a great deal more to consider when building security strategies. We have networked barrier systems, fire and life systems, alarms, video surveillance, air conditioning and maintenance portals (the list goes on). But the point is, cyber resilience, or the lack thereof, affects physical security professionals and they know cyber security needs careful management and attention. The thing is, getting this right at an organisational level requires the strategic expertise of the boardroom. Bringing the skills that senior directors have to bear on a threat that affects all parts of their business, one way or another, is the strategic piece of the puzzle that seems to be missing in many cases – and that, in turn, is enhancing the threat. Having cooperation from physical security professionals increases the likelihood of boardrooms successfully blending security resources for optimum effectiveness and their oversight will ensure the creation of a security-aware culture. All behaviours should build resilience and reduce risk across the organisation.
If we needed more of a reason to educate our boardrooms and leverage their strategic expertise, then we need look no further than the rise in the use of ransomware over the last two years. This pernicious and cynical denial of access malware, encrypts (or in some cases, pretends to) files and prevents users from re-booting machines in order to circumvent the encryption. We have seen this initially used to attack individuals, and then businesses but lately NHS trusts, schools and a cancer charity have all been victimised. In a worrying twist of purpose, we saw its use prior to the inauguration of Donald Trump in Washington DC, when 70 percent of the police surveillance cameras in the capital were rendered incapable of recording as the four recording systems they use were attacked by two different kinds of ransomware. What if the next physical system they try to attack is an air quality or fire and life system? We also know that ransomware attackers will return again and again to those businesses that take the path of least resistance and pay up. This has implications for all of us, as ransomware, like other attack vectors, is frequently used by organised crime gangs and can be used to fund further criminal, and sometimes terrorist, activity.
If we continue to view cyber security as an IT issue, not only are we missing huge opportunities to build organisational resilience, we are actively creating enhanced risk and an enhanced attack surface. There is expertise in our boardrooms and badly needed leadership skills that we can bring to bear on some of the most pervasive and wide-ranging cyber threats business and society at large has ever faced. Criminals share and collaborate very effectively; we need to make sure that when it comes to cyber resilience we are at least one step ahead.
Ellie Hurst is the marcomm and media manager at Advent IM Ltd. She can be contacted on +44 (0)121 559 6699 or by email: firstname.lastname@example.org.
© Financier Worldwide
Advent IM Ltd.