Business risk is the responsibility of the board of directors. Didier Wellens, Senior Consultant, Approach, suggests we take inspiration from the American cyber savvy-boards. Explanations.

“In my practice, I do not only address CEOs, but also boards, boards of directors, supervisory boards and management boards, according to the latest version of the Belgian corporate governance code. Cyber risks, because of the seriousness of their potential consequences, are business risks; they therefore go beyond the sole responsibility of the CEO to concern the board of directors.“

The tone is set. Cybersecurity poses new challenges to corporate governance,” says Didier Wellens, Senior Consultant, Approach, who now assists many companies in their cybersecurity approach from a governance perspective. The approach is complex. First, because of the very nature of cybersecurity. “Traditional board tools are adequate; on the other hand, the subject of cybersecurity doesn’t make it to the board table!”

Stop betting everything on all-techno !

“Make no mistake, this is a business issue, not a technology issue. Directors need to understand and address cybersecurity as an enterprise-wide risk management topic…not just an IT topic.”

This is clearly the first difficulty,” says Didier Wellens. In fact, it is still surprising to see how many companies still associate information security or cybersecurity with IT. It’s true that most security incident reports come from IT, but this is not the only area where the impact is felt throughout the organization. Therefore, the skills required to manage risks and address issues must be at the overall organizational level. The board of directors must understand that relying on technology is a big mistake. It is the underlying cause of many major breaches.

The explanation lies in the nature of the risks themselves. In the past, it was widely believed that people could hide behind walls to protect themselves from danger. In cyberspace, walls take the form of firewalls, encryption keys and perimeter security. “But today, we know that these devices are no longer enough! A board of directors must accept that attacks can come from cyberspace, not just from the competition. So it’s important to define its risk appetite and plan how to identify possible attacks, how to respond to them and how to remediate potential damage.”

For the board, the topic comes down to a series of concrete questions. What kind of data do we have and how well does it need to be protected? What legal and regulatory requirements apply? What are the risks and how likely are they to occur? How can we prevent these risks and how do we protect against them? How can we quickly identify cyber-attacks that have occurred? And how can we remedy the damage in a targeted and comprehensive manner? It’s up to him whether or not to mandate management to take appropriate action.

When will there be Cyber Savvy Directors in Europe ?

The approach of the subject remains delicate. In our countries in particular. Indeed, few companies have at least one board member with cybersecurity expertise, whereas 35% of the largest American companies have taken the step… “. To accomplish its mission, the board can invite people who are not directors of the company to think about it. This avoids appointing experts to the board. Appointing one expert per type of risk is simply not manageable…”

The Americans speak of Cyber Savvy Directors, considering the extent of the digital phenomenon.  In part, , including effective cybersecurity management starts at the top, with the board recognizing what it needs to manage and how it will be done including what additional resources it may need. While the board may have ultimate responsibility for the war on cyber threats, everyone at every level of the organization must understand their role on the front lines of this ongoing war, as threats can come from anywhere.

In its Top Security and Risk Trends for 2021, Gartner encourages the creation of cyber-savvy councils. Simply put, a dedicated committee that focuses on discussing cybersecurity issues. This committee is often led by a board member with security experience or a third-party consultant. In fact, Gartner predicts that by 2025, 40% of BODs will have a dedicated cybersecurity committee overseen by a qualified board member, up from less than 10% today. Such a committee can motivate the entire chain within an organization to view cybersecurity as everyone’s responsibility, providing a vision for everyone to follow.

Pressure is mounting on boards of directors

Boards of directors already have real oversight powers, but they don’t exercise them when it comes to cybersecurity, preferring to delegate the handling of this issue outside their circle, observes Didier Wellens. “I don’t think it’s the role of the board of directors to advise the organization on the ‘extra layers of protection needed’. That’s too technical a question. On the other hand, they need to be explicit about their expectations in the face of digital risk…”

But how to accelerate this movement? One option, identical to California’s new regulation requiring female representation on boards, could be a regulation addressing the problem posed by cybersecurity, requiring companies to recruit cybersecurity specialists to their boards. Will we get there?

Pressure is mounting on the boards of major global corporations as they face the growing cyber threat. Until five years ago, cyber risk was not always considered a priority for directors to monitor. Now, the vast majority understand it as a key issue, as cyber risk is considered one of the highest risks to an organization’s business and business model.

In the United States, two recommendations have emerged. One: appoint a Cyber Savvy Director. Two: establish a “technology and cybersecurity committee” to prepare the work of the board of directors in this area. “In the United States, a company that puts these two recommendations into practice could take advantage of them and see its value appreciated by financial analysts …. It is a very Anglo-Saxon logic that relies on the market to regulate,” notes Didier Wellens. “The Americans regulate through the market, the Europeans regulate through directives !”

In the spirit of the NIS Directive2

The terminology used to name this approach is “cyber risk oversight”. Finally, it is a good habit of boards of directors concerned with cybersecurity. “I believe in the virtue of the example that comes from the top. Tone at the top’, as the Anglo-Saxons say!”

Clearly, cybersecurity is no longer an IT issue, but a strategic imperative. It must constantly adapt to business innovation, new attacks, employee needs and customer requirements. To do this well, it must be independent of the IT department; the board of directors must be directly and regularly involved in cyber security strategies and decisions.

The NIS Directive2 clearly indicates the evolution in its Article 17. Firstly, by specifying the importance of monitoring risk management measures by the management bodies; secondly, by regularly assessing specific training to acquire sufficient knowledge and skills to understand and assess cyber security risks.

More than just a Powerpoint!

We must not lose sight of the fact that the first constraint of boards is time, Didier Wellens reminds us. On average, a board of directors meets for five half-days a year. At the same time, for a company’s cyber team to be effective, the board must be clear about its risk appetite and the maximum level of risk the company is willing to take in order to achieve its strategic objectives. Comprehensive information regarding fears (malicious employee, government espionage, etc.) and risk tolerance (work from home, customer web portal, etc.) will allow cyber security managers to do an effective job aligned with management’s expectations.

It is important to note that typically the metrics used by cyber teams to estimate the organization’s resilience and cyber security posture are not directly transferable to a business approach. Displaying the list and number of blocked attacks on a PowerPoint looks good, but in practice brings very little value to the conversation.

Human error, always!

“What works best is to introduce a small selection of particularly understandable and relevant indicators, and to help assess them,” says Didier Wellens. The example I always use is the ‘phishing click rate’. An internal phishing campaign is a good basis for preparing employees for a wide range of threats.”

In fact, 90 percent of cyberattacks originate from human error. Malware, viruses, Trojan horses… It all starts with a click on a bad link. Phishing simulations help to significantly reduce this error rate by providing a solid foundation for employees. “By exposing them to various forms of phishing, in a safe and controlled environment, they will learn to recognize the dangers that could occur in the real world.”

The Cyber Savvy Director’s missions

(source: Gartner)

Cybersecurity strategy. A strategic vision and a tactical and operational plan for moving forward can proactively protect company assets and adapt to emerging cyber threats and changing regulatory requirements.

Policy Review. The company’s cybersecurity policies and practices, as well as roles and responsibilities, should be evaluated to ensure they are up-to-date and adequate to protect the organization. Along with the policy review, the board should review the budget allocated to cybersecurity and privacy to ensure that these initiatives are properly funded.

Lead by example. Cybersecurity policies must be enforced and supported by company leadership, which must have the ability to communicate an enterprise-wide plan to manage cyber risk, engaging all employees.

Business Continuity. The board of directors should oversee the development of a comprehensive incident response plan that will ensure the resilience and continuity of the business even during a cyber attack. The plan should be widely understood and drilled down.

Ongoing monitoring and evaluation. The board should periodically monitor and review the organization’s cybersecurity controls and capabilities, adapting to new external vulnerabilities and threats.

Cybersecurity Awareness. The board should ensure that the company implements a comprehensive cybersecurity training program to foster a culture where all employees take responsibility for cybersecurity.eur to the conversation.