Given that the subject matter finds its way into the national news on a daily basis, it’s perhaps not surprising that many commentators suggest cyber security absolutely must be a Boardroom-focused issue. Is there any firm evidence to support these often strongly-worded assertions? In the first of a three-part series, Colin Lobley describes why the popular approach to managing cyber security is fundamentally flawed
As a starting point, permit me to say ‘Sorry’ to all those whom I’ve tried to persuade otherwise over the years. It’s now obvious to me that cyber security is NOT a Boardroom issue. There, I’ve said it. I debated long and hard as to whether to commit pen to paper under such a controversial title but ultimately felt an overriding need to do so.
Making such a statement might see my popularity wane somewhat. After all, my view goes against nearly every other article written on the subject.
I’m also very conscious that I don’t wish to fall foul of irony and not provide any evidence or logical reasoning to support my own claim.
On that basis, let’s examine why the popular approach to the management of cyber security is fundamentally flawed.
Threats driving risk
A few years back, I freely admit to being a cyber security professional guilty of championing the tired ‘cyber is a Boardroom issue’ message while also jumping on the bandwagon labelled ‘A Chief Information Security Officer should have a direct line to the CEO’ for a while. That was then, this is now. Amazingly, though, these same messages remain very much in evidence.
At this point you could be forgiven for thinking that I’m ‘anti-security’. Nothing could be further from the truth.
There are big cyber threats out there. These threats drive a number of operational and enterprise risks. Corporations need to manage those risks and security is one very important way of doing that. What I’m most certainly against, though, is cyber security needing to be on the Boardroom agenda. Here’s why.
First, while global cyber crime statistics may be daunting, at a company level the impact of cyber incidents on shareholder value is actually quite small – dare I say insignificant – when compared to other risk events.
Even those companies who’ve suffered the biggest cyber attacks over the past few years had their shareholder value impacted much more severely by other events. Events not related to cyber in any way at all.
For big businesses with only average cyber security controls and half-decent crisis management capabilities in place, they have far bigger residual risks to worry about that should take precedence over cyber security when it comes to the Boardroom agenda.
Operational and enterprise risk
Second, while it’s painfully obvious these days that our operating models rely heavily on the information assets and IT systems exposed to cyber threats, at the end of the day such threats are just another cause of operational and enterprise risk. Risk and operational performance are definitely Boardroom issues.
The value of information and IT systems in operational processes, the breadth and scale of cyber threats faced by a business and the level of security in a company all have a bearing on both of these genuine Boardroom issues but they’re only three of many things that can have an influence.
Much like all these other performance and risk-influencing factors have been integrated into the mature management and reporting processes that already exist for risk and operational performance, so too must the information and IT systems, cyber threats and the performance of cyber security controls.
They should not have a direct line to the Board of Directors and circumvent what is a sensible governance system.
Boards of Directors usually look at the Top 10 risks facing the business. They certainly don’t need to look at the Top 10 risks facing the organisation and then the entire ‘Cyber Risk’ Register as well. The Audit and Risk Committee may review the long tail of that Risk Register but not the Board. If a cyber threat-driven risk features in the Top 10 by all means focus on it, but in many cases it will not reach that point if it has been appropriately assessed.
One can understand how so many individuals – particularly security professionals – reached the stage of calling for cyber security to be on the Board’s agenda. The reason isn’t – as many would lead us to believe – because of the hype surrounding the scale of the threat.
From my own perspective, the reason is a relatively simple and benign one. It has been caused by the massive expansion of IT security standards – an expansion that has passed unchallenged by the business community.
What started off as a group of neat little standards about firewalls, anti-virus software, patching and the like has now ballooned to encompass governance, culture, risk management, IT security, physical security, personnel security, business continuity, crisis management, disaster recovery, legal compliance, supply chain management, procurement, information management and operational business processes.
The point is that these standards now touch almost every part of the organisation. As they’re still referred to as ‘IT Security Standards’, though, responsibility for implementing them is naturally delegated from the Board to the IT security function.
Given the breadth of these standards, this delegation has – in essence and, perhaps, unwittingly – elevated that function to a place where it has a significant measure of influence and control over other business disciplines.
Such a broad remit probably is worthy of a Board-level position, but these are responsibilities that the security function never had before and, arguably, doesn’t need to have now. There’s a more sensible approach.
How to manage cyber security
Instead of being called ‘IT Security Standards’ they should be called ‘Standards for Managing Information and IT-enabled Business Operations’ (which is what they really are if properly implemented). The key word here is ‘Operations’ rather than ‘Security’. This would then naturally lead to Chief Operating Officers (COO) holding responsibility for the requirements contained in the broad standards rather than the security function. To my mind, this is much more sensible for two reasons.
First, the COO role has traditionally always been higher up the governance chain than security. It’s a role that already sits on the Board so this simple name change removes the question of a new security-focused Board position being required.
Second, the security function is often viewed as a hindrance rather than a help. That’s a debate for another day, but the pertinent point is this… Whether that reputation is justified or not, having a sub-optimal reputation is going to make it very difficult for a security function to positively engage with the rest of the business.
There are also reports yielding statistics to show that executive management do not feel Chief Security Officers have the corporate skills necessary to take on any other executive role.
Given the current IT security-led situation, we find ourselves in a position where the security function and CISOs are either frantically trying to upskill themselves or experiencing great difficulty in engaging the business.
The COO’s role is much better placed to slice, dice and delegate responsibilities for all of the standards’ requirements, engage those areas of the business with existing specialist skills and processes and bring them together as a coherent team. In my opinion, it’s the Chief Risk Officer who plays the key role in this scenario along with the COO, not a CISO with a CEO.
Granted, the level of residual risk will be determined by the quality of controls in place but all this means is that the ‘Top Team’ of a COO and a CRO require input from across the business (for example culture assessments from the HR Department and, yes, IT security wisdom from the IT security function).
If the COO-CRO team reviews the current performance versus risk report and decides that more or less security controls are needed, the COO – from his or her senior position – can then work with all those different roles to determine what controls will be effected, entice them to develop those controls and push them through to the rest of the business. Neat idea, isn’t it?
Colin Lobley is Director at Manigent