Is The Board Ready For A Cyber Attack?

by Sohini Bagchi    Mar 03, 2017

Cyber security and its management is a huge concern across the enterprise with newer and complex security threats constantly evolving. In today’s times, cyber security is not just limited as a technology issue. The importance of senior management and board engagement on the issue, has been generating a lot of discussion. More so, because the wave of security breaches hitting leading organizations across sectors has made it clear that no organization is immune from this threat.

cybersecurity

At a recent panel discussion on the topic: “Is The Board Ready For Cyber Attack This Afternoon,” eminent panelists from the industry highlighted some very interesting issues on the boardroom preparedness on dealing with cyber threats. As the session moderator Jaspreet Singh, Partner, Ernst and Young, LLP, mentioned, “As cyber security issues increase and become more visible, boards must decide to take an active role in understanding the risks associated with those issues. And it is not just the CIO or the CISO who needs to be involved, today CXOs and directors across the boardroom should be more preemptive in evaluating cyber security risk exposure as an enterprise-wide risk management issue and not limiting it to an IT concern,” he said.

Remediation or prevention?

“Organizations need to understand whether security is a tactical necessity or a strategic imperative. How important is it to be compliant? When an employee walks in with his own device and uses the applications of the company’s choice during work hours and then plugs into applications of his own choice, the boundaries are blurring,” Anil Bhasin, MD, India and SAARC, Palo Alto Networks stated.

In such context, Bhasin mentioned that it’s the value that you assign to your assets that help you design the security strategy. “In other words you have to understand the value of the data, who has access to it and how can it be protected. In this respect, boards have to make a choice whether it is remediation or prevention,” he said.

Read more: Security Is No Longer Just CIOs’ Headache

Shyamol Das, Head Technology, BRAC Bank and CEO BRAC IT Services, Bangladesh mentions that while cyber security was not a hot topic in Bangladesh 5-6 years ago, today it is a key discussion in every boardroom, especially after the Bangladesh Bank hacking incident.

“In a non IT company, say in our case, a financial organization, the board members come from different backgrounds. Hence it becomes difficult to give ownership of cyber security to non-technical people. It is therefore important to have a board member who can understand the importance of information security,” asserted Das, adding that however, high level decisions on policy and the organization’s approach to information security needs to come from the rest of the C-Suite. These are areas where the board and senior leadership can really make a substantial contribution. 

Evaluating cyber threat readiness 

Boards of directors must not only devote more attention to cyber risks, but also evaluate their organizations’ readiness for an attack, believe experts.

Dheeshjit VG, CIO Infosys Limited and security evangelist believes times are changing and with the advent of new technologies, cyber attack is also becoming as grave as terrorism. In such a scenario, the board must have a cyber security committee. “When offering solutions, we have to see whether the company provides enough ammunition to protect itself and if there is an attack, how fast it will be able to recover.” 

He stated, “It is also important for enterprises to have a culture of cybersecurity, as in case of Infosys that consciously follows that practice on the level of access we are giving out.”

Read more: Board Can Play A Key Role In Curbing Cyber Threats

Partha Sengupta, Vice President, IT Services, ITC Infotech India added, “Any company can get compromised, despite there being a huge security teams working in them. Two key factors are incidence response and digital forensic. It is important how fast an organization recovers from an attack.”

It is also important to have a cyber security auditor who can certify that the level of security is reasonably acceptable to convince the shareholders. Since we are living in a digitized era, it is essential to have a distinct framework that will mesh with the latest standards and contemporary practices, he said.

Implementing the best practices

The panel agreed that the board plays a critical role in understanding the risks associated with cyber security and confirming that preventative and detective controls are in place. In order to do so, organizations should consider implementing the following practices:

- Increasing the frequency of cyber security related presentations to the board

- Allowing CSOs and CISOs to present their findings and strategies directly to the board, rather than through some other C-level representatives

- Treating cyber security as a matter of enterprise-wide risk, not just as a function of IT practice

- Implementing business model that establish a quantitative estimate for cyber risks, exposures, and potential damages to better align business objectives and security goals.

Finally, a proper oversight program can help companies streamline board reporting, integrate multi-department activities required to mitigate operational cyber risks, and ensure that reasonable security protocols and procedures are in place, mentioned Singh.

Experts agree, all this can help CXOs gain a better understanding what assets might be at risk, how to estimate potential losses, and how to mitigate threats using new security practices, investments, and cyber security practices in the long run.