Cyber Security is not a Risk
Describing Cyber Security as a risk is a language oddity that keeps appearing at an alarming rate.
It is a dangerous and simplistic shortcut, typical of the shallow nature of some debate taking place around these issues on social media.
Cyber Security is not a “risk”: Cyber Security results from the proper application of proportionate Controls to protect an organisation from the Cyber Threats it faces. Cyber Risk results from the absence or inefficiency of such Controls.
With survey after survey, incident after incident, highlighting that many large organisations struggle to demonstrate any kind of Cyber Security maturity, the time has come for Boards to approach the problem from the right Management angle and take real action.
Cyber Security can no longer be treated as a balancing act between costs, risk and the need to ensure regulatory compliance.
The Boards of large organisations must focus on ensuring that the necessary Controls are properly implemented across the true geographic perimeter of the enterprise, taking into account without complacency the role of external partners and suppliers.
Technology alone will not help large organisations get out of such a dead-end. They have focused for too long on merely technical and tactical solutions to their Cyber Security challenges, in search of silver bullets that simply don’t exist.
Organisations need to reflect on where the roadblocks are that have prevented them from reaching a satisfactory level of maturity in the face of current threats, in spite of decades of spending in the IT and Information Security space.
They need to rethink and rewire their approach in a way that will enable them to demonstrate a degree of genuine resilience, instead of merely throwing money at the latest technology product.
Cyber Security cannot be the responsibility of “everybody”: Boards must focus on ensuring that accountabilities and responsibilities are properly in place to make sure the enterprise remains adequately protected from Cyber Threats.
In most cases, the overarching responsibility should fall in the portfolio of the CIO or the COO, and be cascaded down to a CISO who has the management experience, personal gravitas and political acumen to drive change.
Lasting change in that space will be complex and take time. Boards must ensure that a long-term Cyber Security roadmap is in place and stick to it. Changing approach every time an incident happens elsewhere – or every time a new CISO comes in – will simply kill any change momentum. This long-term roadmap must be supported by a Governance Framework that distributes roles and responsibilities from the Board down across the entire enterprise, including IT, HR, Business Units & Geographies.
Time has come for Boards to stop treating Cyber Security as a “Risk” (i.e. something that may or may not happen): Cyber-attacks are now a matter of WHEN, not IF. Boards must focus on reality and take genuine Management action to drive the implementation of protective Controls against the genuine Cyber Threats their business is facing.
This is no longer a matter of budget or resources anymore, but a very simple matter of priorities – and possibly a matter of survival for some firms.
Find out more about how your business can truly protect its future from cyber threats by contacting Corix Partners.
Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Security Strategy, Organisation & Governance challenges.
The original content of this article was first published on the Corix Partners blog as 2 articles on 24 April and 13 August 2015.