Over the past 20 years cyber risk management has evolved significantly with the responsibility for cyber risk mitigation shifting from the sole purview of the infosec team to virtually every functional area within an enterprise-class organization today. From HR and legal to software development and product management, everyone is demanding their vendors and partners meet requirements for cyber hardening and security. A cyber review of any potential merger or acquisition target is now customary. And with multiple recent examples such as Kaseya and SolarWinds, supply chain cyber diligence is absolute table stakes for any business operating today.
And this absolutely raises the stakes for Boards of Directors and the critical role they play in an organization’s cyber resilience strategy. With data being the lifeblood of any organization, enterprise preparedness and business continuity planning can’t be just an annual exercise. Not when attackers continue reaching into an increasingly sophisticated bag of tricks that includes everything from AI-based deep fakes to automated hacking techniques. Given the current threat landscape, we must all be in a state of continual assessment and this includes keeping cyber priorities at the top of the agenda for board updates, versus waiting for an end-of-year summary. As we know, despite all the investments made in cybersecuritry it is not a set and forget proposition. Breaches will happen and business leaders and security professionals need to find a way forward to get ahead of the threat. Today that necessitates employing new and different approaches to mitigate breaches and data compromise, and the board plays a vital role in driving this evolution.
Board engagement on cyber risk management is central to the work of the World Economic Forum’s cyber risk and corporate governance initiative that Forcepoint has been supporting the last year. A key focus of this initiative’s mission is to help counsel directors on dealing with technology and cyber risk in collaboration with the National Association of Corporate Directors, the Internet Security Alliance, and the World Economic Forum's corporate partners. Together, this consortium developed a recent report that established six principles to help boards guide their organizations to becoming more cyber resilient. These included;
- Cybersecurity is a strategic business enabler
- Economics drive cyber risk
- Cyber risk management must align with business needs
- The design of organizations must support cybersecurity
- Cybersecurity expertise needs to be integrated into board governance
- Systemic resilience and collaboration ought to be encouraged
Recently, I joined fellow collaborators within this initiative - Dan Dobrygowski, head of governance and trust at the World Economic Forum’s Center for Cybersecurity, and Maya Bundt, head of cyber and digital solutions at Swiss Reinsurance - for a fireside chat on some of the key findings from the report to help business leaders better understand the business impact of cyber risk and stay ahead of today’s threats. Our discussion dove into four of the aforementioned principles: how cybersecurity enables business, the economic drivers of cyber risk, aligning with business needs, and ways to incorporate cyber expertise into board governance. We believe adapting to cyber risk is the cost of doing business today. In response, boards must view cyber risk management as an enterprise-wide priority and core to their fidicuary duty.
After all, when more than 70% of breaches are financially motivated, the attacker’s burgeoning enterprise can become your biggest competitor. Modernizing security now to protect your organization’s digital crown jewels and business integrity can move your mission forward, whether that’s growing revenue or helping your communities recover from the pandemic, and ultimately become a competitive differentiator ahead.
Please join us for this discussion by registering for the July 21 webcast.
You can also read ahead by downloading the full World Economic Forum report, “Principles for Board Governance of Cyber Risk.”