Issue Seventeen
August 2022
For years now organizations have undergone transformation and modernization efforts to remain competitive in their respective markets. We’ve witnessed a mass migration to cloud-based technologies and Software as a Service (SaaS) platforms to harness agility and mobility at scale. Those organizations that have yet to do so are not only struggling with stagnation and rigidity, but they also carry the heightened risk of maintaining and securing antiquated technology environments – making the protection of sensitive data challenging and cumbersome – creating unmanageable bandwidth constraints for IT teams.
The imperative for organizations is to gain visibility of - and establish governance for - the entire enterprise risk landscape, to include cybersecurity and data privacy. Executive leadership and stakeholders must be informed of the critical context necessary for positioning technology and security modernization as holistic investments in risk reduction, resilience improvement, and organizational transformation - as opposed to line items on a list consequentially categorized as unbudgeted IT transactions.
This evolution in the digital mindset of organizational leadership is necessary when establishing competitive advantages in turbulent markets, amidst a massively expanding cyber threat landscape. It is our social responsibility to not only transform ourselves as leaders, but to weave those transformational values into the cultural fabric of our organizations. This can only be achieved by board members, stakeholders, and executive teams leading as the examples.
As cybersecurity attestations become the price of admission for obtaining insurance, acquiring new clients, and securing reputations – the importance of establishing a culture of security-first principles is non-negotiable. Transparency in these efforts is paramount, as consumers and regulatory bodies look for organizations to provide assurance that they’re conducting business responsibly - to have a positive impact on consumers, supply chains, and society as a whole.
“Thoughtfully assessing and addressing enterprise risk and placing a high value on corporate transparency can protect the one thing we cannot afford to lose: trust.” – Dale E. Jones
ZEROING IN
Does Your Board Really Understand Your Cyber Risks?
Some things are simply worth repeating. Effective enterprise risk management must include a focus on cybersecurity and data privacy. Effective enterprise risk governance requires leadership and commitment from senior management and the board of directors. Since HBR first published this article in 2020, the threat landscape has not improved and the corporate imperative to address cyber threats has grown exponentially. Arguably, boards and management don’t just need, they now require, a “risk-oriented, holistic, and validated view … that considers the financial and business impacts of cybersecurity (or cyber insecurity).”
Cybersecurity is an enterprise risk issue -- not just an IT problem. Assessing cyber risk within an organization is no longer about checking boxes but about assessing the maturity of an organization against an established tolerance for cyber risk. This is an easier task when cybersecurity and resilience are embedded in the culture of the organization. This culture starts from senior most management and the board of directors.
Assessing cyber risk alongside other enterprise business risks and strategic opportunities, “will vastly improve companies’ understanding of their cyber risk and provide a clear path for evolving oversight as the approaches develop.” While there are different methods to measuring cyber risk and evaluating an organizations cybersecurity maturity, “the right outcome always starts with the right culture.” The measurement of cybersecurity governance maturity must therefore assess not only the technology, processes, policies, and systems, but also the organization’s culture.
With the threat landscape constantly evolving, it is not possible to prevent or mitigate against every potential threat. However, strong governance and culture remain crucial components of any effective cybersecurity risk management program.
SQ Insight: Tony Ogden - President, GRC
Building a cyber resilience strategy for a geopolitically unstable world
Recent geopolitical events have shone a spotlight on - and heavily underscored - the need for organizations from all sectors, and of all sizes, to reevaluate their own cyber resilience within an increasingly unstable world. That said, so many enterprises still view cybersecurity as purely one dimensional, IT-only, point-in-time risk rather than a systemic and ongoing fabric of resilience.
“It is no longer good enough to hope for the best or to ‘acquire' some technical solutions and think of cyber-security as a ‘once and done’ job or something that is optional or siloed. Cyber-security is a multi-system of continuous concern and it's now exacerbated by a global environment of continuous risk and crisis."
And in order to develop a fabric of organizational resilience, several key systems - including the often overlooked aspect of culture - must be firmly established. Additionally, the executive leadership and board as the drivers of the overall cyber risk governance is imperative.
"Systematic cyber risk governance needs to be a core part of the board’s work. Keeping cyber-security on the agenda of the board and the c-suite with at least quarterly updates is a must in this environment."
A systemic cyber resilient posture is not only critical to business survival during times of global uncertainty, it is in fact the fundamental foundation for achieving vitally important ESG goals and ensuring that countries and economies are able to sustainably thrive within a fully digitally transformed world.
SQ Insight: Kenneth Holley - Chairman
Move Fast—but Stay Cyber Safe
When the Digital Revolution occurred in the latter half of the 20th century, there was minimal thought given to cybersecurity. People jumped on the new technology and integrated it into their day-to-day business in an environment similar to the Wild West – with little oversight and often guided by an “anything goes” mentality.
Today, with the onset of even more advanced digital technologies and their various buzz words, such as digital transformation, modernization, artificial intelligence, and machine learning, are we again forgetting about the cybersecurity aspect of using these tools? I believe the answer is a resounding yes. This is because most companies believe they have the right security technologies in place to fully protect their businesses.
Many companies believe cybersecurity is a one-and-done deal and that they can move on to more “pressing” issues. This thinking could not be further from the truth. Although investing money in appropriate cybersecurity technologies and personnel training can strengthen a company’s cybersecurity stance, it does not solve the whole problem.
Strong, resilient cybersecurity requires leadership that cares enough to develop and implement a risk management framework that identifies and mitigates the risks caused by new ways of doing business amidst the current digital transformation. Without such frameworks in place as part of an overall cybersecurity strategy, there is a good chance money will be spent without really knowing if it is making a difference or not.
For example, if a business has an endpoint security manager on the network but some network devices do not have it installed or on, this creates clear weak links in the security chain, and it shows how technology alone does not solve the problem. It also demonstrates why network visibility is so critical. Without the endpoint security manager having visibility of all network devices, actions such as patching, remediation, and backups are not effective. These actions are essential in protecting the network and the data that resides on it, and they can be a way to recover from a worst-case scenario, such as a costly ransomware attack.
With average breach costs increasing 24% between 2020 and 2021, a solid, well-planned cybersecurity strategy that includes a functional risk-management framework will help businesses defend against sophisticated cyber adversaries, nation-state cyber warfare, and an increasingly complex regulatory landscape. It is not possible or sustainable to simply keep committing more people and money to managing cybersecurity risks. Therefore, it is crucial to develop and implement risk-based frameworks that proactively map investments to risk reduction.
The chain of cyber events can go on and on, but by implementing the correct technologies, educating employees, and developing the right processes within a risk-management framework, businesses can further strengthen their overall cybersecurity and their cybersecurity culture.
SQ Insight: Marc Packler - President, CISO Advisory
