Efficient governance, processes, and collaboration are behind the best cyber security strategies.
Cyber security and data protection have been hotly discussed in recent months, with those debates spurred on by a seemingly endless drumbeat of major cyber security incidents. Cyber criminals stepped up their attacks on global governments in 2022 – and India topped the list as the most targeted government in the world last year – but cyber-attacks and data loss incidents at private companies, healthcare institutions and educational establishments are no less disruptive.
It will take time before we can determine whether the increase in the discussion of cyber threats translates to any real change in corporate risk appetite, but we can say with certainty that cyber security conversations will be prevalent in Indian boardrooms in 2023.
As far back as 2017, the Kotak Committee Report on corporate governance, which was implemented by the Securities and Exchange Board of India (SEBI), enhanced the role of the risk management committee to include cyber security. However, in order for cyber security discussions to be productive, they require security and business leaders to be able to collaborate and communicate effectively – and traditionally, this hasn’t been a certainty.
If we are to address this issue and seek better collaboration and communication between business and security leadership, organisations need three things to happen. Firstly, CEOs and Chief Security Officers (CISOs) need to work together constructively. Secondly, CISOs need to provide relevant data points that facilitate their board’s decision-making around risk. And finally, it is imperative that boards educate themselves to a reasonable degree about cyber security and cyber risk. This doesn’t mean we should be looking to board members to possess accredited function-specific knowledge, but they must work to ensure they have an up-to-date awareness of cyber threats and a basic working knowledge of risk mitigation options.
Building a partnership between CEOs and CISOs
While for many it may seem a no-brainer suggestion that CEOs and CISOs should be closely collaborating, it is surprisingly common in many organisations for the security leader to have no regular contact with the CEO. This has a direct impact on both roles and severely limits their ability to influence the board in supporting and approving security plans. With cyber risk growing – and only likely to grow more – company leadership should work hard to build direct and deep relationships with their own cyber security experts. Only then can they present recommendations to the board as a team, ensuring the agility required to counter fast-evolving cyber threats.
Presenting the right information to the board
According to the Data Security Council of India, India’s cyber security workforce swelled from 110,000 employees in 2019 to 218,000 in 2021, and despite talent shortages, that number is expected to have grown again in 2022. But this world-leading expertise isn’t held by most board members, and knowing how to communicate the often complex details that impact risk exposure to a non-technical audience can be a real skill.
Narratives designed to trigger fear-based decisions, or ones that are overly technical, typically fail to convey a clear path to action or help advise on the appropriate response. Boards need to understand that the company’s assets are well protected, and they need to be able to make judgements about necessary investments for risk reduction. They also want to be able to understand the return on investment – while cyber security is acknowledged by many to be an essential spend, any investment should deliver maximum risk buy-down.
You convince a board by avoiding the subjective, and leaning into data-driven, quantified risk assessments, filled with evidence to outline exactly what value is at risk from various cyber incident scenarios. Boards want to see risk cost, and plans for risk reduction, but they need to see them presented in the terminology that drives all board discussions – and security leaders go down into the weeds of technology at their peril. A core competency of the security executive is the ability to articulate this appropriately for a board audience.
Meeting security leaders in the middle
Having given advice to security professionals to avoid technical jargon, we must in turn upskill the board.
In 2021, the Reserve Bank of India (RBI), recognised the importance of this knowledge acquisition and mandated awareness training programmes for the senior leadership team and board of directors to familiarise them with the relevant cyber security concepts. This is notable and should be recognised as an important step forward.
There is no way around it; cyber security board conversations and decisions are smoother when members come equipped with at least a basic understanding of cyber threats and associated risks. It is also in their best interest. After all, across many global markets, they can be held accountable for serious data breaches.
Efficient governance, processes, and collaboration are behind the best cyber security strategies, and it will be paramount for the Indian business community to prioritise this aspect for 2023, because in the 21st century, some of the most dangerous criminals are online, and they’re coming for us.