Utmost protection from being a victim of cyberattacks, exec board offers more than cyber security lip service

Often senior management focuses on the financial results. While nobody wants to be featured in the news as a victim of a cyber-attack, many organizations fail to set actionable plans. As the ever-evolving security landscape gains pace, Yuval Baron, CEO, and Co-Founder of AlgoSec explores why there should be executive buy-in

According to a report earlier this year by McKinsey, it has always been companies in regulated industries, such as banks and insurance companies, that have prioritized cyber security at the board level.

However, other industries are still behind the curve in terms of having technical representation at the senior executive table. CIOs and CTOs, along with directors with other IT backgrounds, constitute a small margin of board leadership globally.

In a survey conducted by Harvard Business Review, more than a third of respondents indicated that they struggle to stay on top of risk and security issues and new technologies while just 13% of boards sought technological expertise with their most recent director search. This results in an imbalanced over-abundance of directors with financial and management skills but not technical skills.

So why is having the C-suite on board with cyber security so important?

It has become increasingly difficult to sit at the helm of a company and not assess the risks that exist both physically and virtually. Nor can implementing cyber risk measures replace informed decision-making at the executive level. The fact is cyberattacks present a near existential threat to any company. In 2020, breaches exposed more than 37 billion records – the highest number of exposed records in a single year. The balancing act between an attacker and defender is asymmetrical: An attacker who fails in 99% of attacks and succeeds in just 1% of attacks is successful. A defender who fails in 1% and succeeds in 99% of the attacks is unsuccessful.

Previously, the job of understanding and quantifying cyber risk fell to the CISOs and their IT teams, who primarily addressed the technical side of the problem. The goal was to take stock of established defenses and determine how vulnerable systems were. But the problem is this is a largely backward-looking approach and doesn't consider the layered defenses organizations have in place, including efforts to intentionally deceive hackers attempting to study their weaknesses, as well as the risks of insider threats and accidental misconfigurations.

This traditional approach isolates cybersecurity decisions from the businesses they are meant to serve. While technical assessments may be sufficient for the technical leaders, they do not always offer a risk-orientated, holistic, and validated the view that considers the financial and business impacts of cybersecurity. Additionally, not all reports capture governance, culture, decision-making practices, or the wider treatment of a company's cyber risk profile.

Board directors need to understand all of this if they expect to make informed decisions about, for example, where to allocate capital to improve cyber defenses and how to understand the business impact of cyber threats, instead of investing in different departments.

Digital transformation is accelerating the need

This does not mean all executives need to become technical experts. It means they need to be able to establish the company's tolerance for cyber risk, define the outcomes that are most important in guiding cybersecurity investment and be able foster a culture of cybersecurity and resilience.

In the past, CTOs and CIOs were more likely responsible for back-office outsourcing, procurement, and standardization. Fast forward to today and these positions are increasingly helping chart the course for long-term business strategy.

One of the reasons for this has been digital transformation. According to Gartner, digital transformation encompasses everything from IT modernization to the invention of entirely new digital business models. In the modern world, networks are spread over several public clouds and data centers, increasing complexity.

With this comes the need to constantly re-examine, update, and improve the use of digital technologies to solve business challenges. This reliance on digital technologies and business models poses new challenges, as companies need to understand the cybersecurity implications holistically across the hybrid network and ensure that cybersecurity is an accelerant, not a barrier, to digital transformation.

So, what can C-suites and company boards do to meet these growing needs?

Getting executive buy-in is more than just showing them reams of code and technical specifications. The threats and opportunities need to be translated into business language so that non-technical board members can understand the real-world negative outcomes of attacks caused by inaction. This includes financial and reputational costs and the forecasted return on investment.

At a minimum, CTOs and CIOs should be more visible at the board level. However, to truly execute a digital transformation strategy, executives at all levels should have the digital skills necessary to drive the agenda across an entire organization and shift cyber security from an abstract to a substantial problem.