by Dawn Dunkerley
Contributing Editor

Simple isn’t easy and technical language doesn’t make you smart –an approach to managing cybersecurity risk in the boardroom.

If you read no further:

  • Cybersecurity is a boardroom issue becoming increasingly real.
  • Executing cyber risk mitigation involves specialized skills but managing cybersecurity requires the resource allocation and performance management capabilities boards and executives already have.
  • Compliance does not equate with security.
  • If you know your business and what drives results, you will know what to protect and what to risk as you make investment decisions.
  • A blend of input (leading) and output (lagging) performance indicators should provide the fidelity necessary to manage this new category of risk, and the indicators need not be technical in nature to be effective.

Why is cybersecurity becoming more prevalent in boardrooms?

Cyber is not a new topic, but its relevance in our market is increasing dramatically as firms sprint to digitize without always being methodical when considering the commensurate business risks. The all-too-often afterthought of securing an organization’s technology has taken the form of compliance to checklists and best practices developed under varying context by “experts” in technology or regulation and not by those with commerce, investment, and risk management expertise.

Digitization, on balance, is a good thing and so is regulatory compliance; however, two examples from very recent history can help illustrate why compliance is insufficient and restructuring a cost base through technology is not all upside.

Company 1, a logistics and freight hauler, was taken down intermittently for weeks after a ransomware attack.   Subsequent breaches were carried out while they scrambled to rebuild broken systems and rebuild trust with clients, regulators, vendors, and employees.

Company 2, a steel maker, lacked sufficient protection or segregation between enterprise technology and operational technology networks which allowed a social engineering hack to take down a plant for several days while ransom demands were conjured. Enterprise technologies (ET) are systems that are utilized to manage the business such as email servers and accounting software.  Operational technologies (OT) manage physical processes or equipment like conveyor belt speeds, vibration sensors, etc.

Both events were well-publicized in the press, and even discounting opportunity cost of lost production and hard costs of remediation to $0 (a bold assumption), the reputational loss is real and everlasting.

Where the nature/mechanism of the attacks carried out in these two cases are vastly different (more detail on managing these differences in the next installment of this blog series), they both serve as stark examples of theoretical risk becoming a costly reality on our shores.

In our next blog, we will address the question, “whose job is cybersecurity?”…