Leadership’s engagement with cybersecurity is not only internally driven. Regulators have also begun to raise expectations. In countries like the United States, the Securities and Exchange Commission has affirmed the importance of including cybersecurity processes and events in a public company’s disclosure of risk factors and material events. In the Asia Pacific region, strict laws are emerging in several countries to enable the government and regulators to require companies to take measures to ensure cybersecurity threats are looked into.
The increasing frequency and business impact of cyber threats have moved cybersecurity planning and protection from an operational concern of information technology departments to a key theme on the agenda of most company boards and CEOs. A recent survey by global consulting firm FTI Consulting which polled 500 board members found that the cost of cyber security breaches has gone up by 30 per cent over the past year and cybersecurity threats have now come front and centre in corporate boardrooms, taking top spot in the list of worries by both board members and general counsel, and displacing concern over succession and leadership transition.
Similarly, in its annual Global CEO survey of 175 banking and capital market chief executives in 54 countries released last February, PriceWaterhouseCoopers said about four out of five CEOs polled, or 79 per cent, today see cyber security risk as the top threat to business growth. The study also showed that the majority of global CEOs – 93 per cent – consider cybersecurity as a strategically important category of digital technologies in their organization.
Despite the board’s responsibility for overseeing cybersecurity, they often overlook one critical link in the cybersecurity chain: the board’s own role as custodian of company information. After all, a board routinely handles, stores and internally shares sensitive financial and sales data along with confidential strategic plans, senior executive compensation policies and other privileged information. Unauthorized access to any of this information could have severe consequences.
There is also the undeniable fact that all cybersecurity options entail a compromise between convenience and effectiveness. Because of the senior status of board members and leadership, there is a natural tendency to minimize any inconvenience on their part. As a result, board members often opt to access, store and share information in ways that may be convenient but are considerably less secure than what is done by the organization as a whole.
These include the sending of hard-copy packs of board materials or the emailing of PDFs.
Another compromise is where passwords are required. Instead of mandating secure passwords that contain no recognizable words and that consist of a combination of different character types, simple passwords such as a child’s name may be permitted. While these practices often arise from ad-hoc decisions rather than deliberate policy, they are nevertheless resistant to change due to inertia.
Given the heightened level of threats in these times, boards and senior management must do more than provide oversight of an organisation’s cybersecurity. They must set an example of security best practices from the top.
Developing a framework for evaluating board security
Leaders who want a firm, intuitive grasp of how to judge their board’s cybersecurity practices can easily end up in a tangle of jargon. Fortunately, however, it can be easily straightened out by asking three basic questions:
View the original content and more from this author here: http://ift.tt/1K4QNz9
from cyber security caucus http://ift.tt/1K4QLY3
via IFTTT
No comments:
Post a Comment