Strategy and Governance /

Cyber Attacks: A matter of “WHEN” not “IF” for the Boards of large organisations

Green map overlay

The first RSA Cyber Security Poverty Index, published in June 2015, highlights that 75% of respondents show a significant Cyber Security risk exposure – describing the results of the survey as reflecting an “unacceptable status quo”.

None of this is really new and, in fact, the results strongly echo those of the survey conducted by McKinsey & Co for the 2014 World Economic Forum in Davos.

From a Board-level perspective in large organisations showing such low levels of Cyber Security maturity – the problem must be seen as a “high stakes topic” requiring the CEO’s involvement (as McKinsey & Co have recently pointed out), but the time has passed for Boards to think about it in terms of risks i.e. things that may or may not happen. Cyber Attacks should be treated as a matter of WHEN, not IF.

Cyber Security cannot be approached as a balancing act between costs, risk and the need to ensure regulatory compliance anymore – and the time has come for  Boards to take control and drive real action.

Technology alone will not help large organisations get out of such a dead-end. They have focused for too long on merely technical and tactical solutions to their Cyber Security challenges, in search of silver bullets that simply don’t exist.

Organisations need to reflect on where the roadblocks are that have prevented them from reaching a satisfactory level of maturity in the face of current threats, in spite of decades of spending in the IT and Information Security space. They need to rethink and rewire their approach in a way that will enable them to demonstrate a degree of genuine resilience, instead of merely throwing money at the latest technology product.

As we pointed out in April 2015 in one of our blog posts, the time has come for the Board to stop treating “Cyber Security as a Risk”.

There is little to add to what we wrote at the time. It starts with making sure that the right people are in charge and that accountabilities and responsibilities are properly distributed across the whole enterprise, and not just sit with IT. The change agents (CIO, COO or CISO) must have sufficient management experience, personal gravitas and political acumen to drive change.

Boards must focus on ensuring that the necessary Controls are properly implemented across the true perimeter of the enterprise. This includes taking into account, without complacency, the geographical footprint of the business – as well as the roles of external partners and suppliers.

Lasting change in that space will be complex and take time, and the Board must ensure that a long-term Cyber Security roadmap is in place – and stick to it. Changing approach every time an incident happens elsewhere – or every time the CISO changes – will simply kill any change momentum.

The time has come for the Board to focus on reality (not risk), take genuine Management action and drive the implementation of protective Controls against the genuine Cyber Threats their business faces. It should not be a matter of budget or resources, but a very simple matter of priorities – and possibly a matter of survival for some.

Read our full analysis here, covering the 6 real questions the Board of Directors needs to ask, as published on Information Security Buzz – an independent resource that provides the best blogs, opinions and news for the information security community.


JC Gaillard

Managing Director

Corix Partners

Contact Corix Partners to find out more about developing a successful Information Security Practice for your business. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.