Why Cyber Security is NOT a Boardroom issue

Given that the subject matter finds its way into the national news on a daily basis, it’s perhaps not surprising that many commentators suggest cyber security absolutely must be a Boardroom-focused issue. Is there any firm evidence to support these often strongly-worded assertions? In the first of a three-part series, Colin Lobley describes why the popular approach to managing cyber security is fundamentally flawed

As a starting point, permit me to say ‘Sorry’ to all those whom I’ve tried to persuade otherwise over the years. It’s now obvious to me that cyber security is NOT a Boardroom issue. There, I’ve said it. I debated long and hard as to whether to commit pen to paper under such a controversial title but ultimately felt an overriding need to do so.

Making such a statement might see my popularity wane somewhat. After all, my view goes against nearly every other article written on the subject.

I’m also very conscious that I don’t wish to fall foul of irony and not provide any evidence or logical reasoning to support my own claim.

On that basis, let’s examine why the popular approach to the management of cyber security is fundamentally flawed.

Threats driving risk

A few years back, I freely admit to being a cyber security professional guilty of championing the tired ‘cyber is a Boardroom issue’ message while also jumping on the bandwagon labelled ‘A Chief Information Security Officer should have a direct line to the CEO’ for a while. That was then, this is now. Amazingly, though, these same messages remain very much in evidence.

At this point you could be forgiven for thinking that I’m ‘anti-security’. Nothing could be further from the truth.

There are big cyber threats out there. These threats drive a number of operational and enterprise risks. Corporations need to manage those risks and security is one very important way of doing that. What I’m most certainly against, though, is cyber security needing to be on the Boardroom agenda. Here’s why.

First, while global cyber crime statistics may be daunting, at a company level the impact of cyber incidents on shareholder value is actually quite small – dare I say insignificant – when compared to other risk events.

Even those companies who’ve suffered the biggest cyber attacks over the past few years had their shareholder value impacted much more severely by other events. Events not related to cyber in any way at all.

For big businesses with only average cyber security controls and half-decent crisis management capabilities in place, they have far bigger residual risks to worry about that should take precedence over cyber security when it comes to the Boardroom agenda.

Operational and enterprise risk

Second, while it’s painfully obvious these days that our operating models rely heavily on the information assets and IT systems exposed to cyber threats, at the end of the day such threats are just another cause of operational and enterprise risk. Risk and operational performance are definitely Boardroom issues.

The value of information and IT systems in operational processes, the breadth and scale of cyber threats faced by a business and the level of security in a company all have a bearing on both of these genuine Boardroom issues but they’re only three of many things that can have an influence.

Much like all these other performance and risk-influencing factors have been integrated into the mature management and reporting processes that already exist for risk and operational performance, so too must the information and IT systems, cyber threats and the performance of cyber security controls.

They should not have a direct line to the Board of Directors and circumvent what is a sensible governance system.

Boards of Directors usually look at the Top 10 risks facing the business. They certainly don’t need to look at the Top 10 risks facing the organisation and then the entire ‘Cyber Risk’ Register as well. The Audit and Risk Committee may review the long tail of that Risk Register but not the Board. If a cyber threat-driven risk features in the Top 10 by all means focus on it, but in many cases it will not reach that point if it has been appropriately assessed.

One can understand how so many individuals – particularly security professionals – reached the stage of calling for cyber security to be on the Board’s agenda. The reason isn’t – as many would lead us to believe – because of the hype surrounding the scale of the threat.

From my own perspective, the reason is a relatively simple and benign one. It has been caused by the massive expansion of IT security standards – an expansion that has passed unchallenged by the business community.

What started off as a group of neat little standards about firewalls, anti-virus software, patching and the like has now ballooned to encompass governance, culture, risk management, IT security, physical security, personnel security, business continuity, crisis management, disaster recovery, legal compliance, supply chain management, procurement, information management and operational business processes.

The point is that these standards now touch almost every part of the organisation. As they’re still referred to as ‘IT Security Standards’, though, responsibility for implementing them is naturally delegated from the Board to the IT security function.

Given the breadth of these standards, this delegation has – in essence and, perhaps, unwittingly – elevated that function to a place where it has a significant measure of influence and control over other business disciplines.

Such a broad remit probably is worthy of a Board-level position, but these are responsibilities that the security function never had before and, arguably, doesn’t need to have now. There’s a more sensible approach.

How to manage cyber security

Instead of being called ‘IT Security Standards’ they should be called ‘Standards for Managing Information and IT-enabled Business Operations’ (which is what they really are if properly implemented). The key word here is ‘Operations’ rather than ‘Security’. This would then naturally lead to Chief Operating Officers (COO) holding responsibility for the requirements contained in the broad standards rather than the security function. To my mind, this is much more sensible for two reasons.

Colin Lobley

Colin Lobley

First, the COO role has traditionally always been higher up the governance chain than security. It’s a role that already sits on the Board so this simple name change removes the question of a new security-focused Board position being required.

Second, the security function is often viewed as a hindrance rather than a help. That’s a debate for another day, but the pertinent point is this… Whether that reputation is justified or not, having a sub-optimal reputation is going to make it very difficult for a security function to positively engage with the rest of the business.

There are also reports yielding statistics to show that executive management do not feel Chief Security Officers have the corporate skills necessary to take on any other executive role.

Given the current IT security-led situation, we find ourselves in a position where the security function and CISOs are either frantically trying to upskill themselves or experiencing great difficulty in engaging the business.

The COO’s role is much better placed to slice, dice and delegate responsibilities for all of the standards’ requirements, engage those areas of the business with existing specialist skills and processes and bring them together as a coherent team. In my opinion, it’s the Chief Risk Officer who plays the key role in this scenario along with the COO, not a CISO with a CEO.

Granted, the level of residual risk will be determined by the quality of controls in place but all this means is that the ‘Top Team’ of a COO and a CRO require input from across the business (for example culture assessments from the HR Department and, yes, IT security wisdom from the IT security function).

If the COO-CRO team reviews the current performance versus risk report and decides that more or less security controls are needed, the COO – from his or her senior position – can then work with all those different roles to determine what controls will be effected, entice them to develop those controls and push them through to the rest of the business. Neat idea, isn’t it?

Colin Lobley is Director at Manigent


About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts