It’s often said that boards are only interested in three things: revenue, cost and risk. But with the recent £183m and £99m fines for British Airways and Marriott International respectively, heads of organisations are now realising a data breach can bring down operations.
So how can cyber-security professionals use this level of awareness to drive investment in cyber-security and what strategies actually work? Eleven distinguished guests discussed these questions and more at a breakfast meeting, sponsored by Skurio at the Langham Hotel in London; the session was moderated by SC's editor-in-chief Tony Morbin.
Morbin opened the discussion by asking the table to what extent do boards consider cyber risk as a business risk?
Dr. Kevin Jones, Global Chief Information Security Officer, Airbus, said: We compare cyber risk to any other business risk. We do a lot of awareness training for the board, report to them regularly in the board meetings about how and where the different levels of risk are. We’re a global organisation with 140,000 employees and multiple business lines. And we have a well-defined process for where that digital security risk lies and it’s coordinated centrally through the Chief Security Officer."
Many boards aren’t so well informed, though, and still don’t see cyber security as a business risk. Mike Proudlock, Head of IT, Royal College of Surgeons, said: "We’re not a very IT-mature organisation. We trace our roots back to 1545 and the Company of Barber-Surgeons in London. And unfortunately some of the security thinking is still in 1545 - in terms of IT capability, in some areas. Trying to get people who aren't in IT to be aware of security issues is an ongoing education process.
"In some ways, GDPR was a Godsend because it woke a lot of people up to the fact that we were perhaps not doing things in the best way and a lot of things changed as a consequence of that. And I’m just trying to keep the positive momentum going," said Proudlock.
"I had the benefit that my organisation recognised that I needed to sit within in a pure second-line function, distinct from IT," said a CISO from the finance sector.
The CISO was also able to use GDPR as leverage to make changes to the organisation’s information security programme, but insists that they generally take a pragmatic approach when discussing the issue of potential risk with the board.
"The ‘sky falling in on your head’ routine does not work within my organisation, because they’ve been around for a very long time, they’ve seen the sky fall and they know it doesn’t hurt. And, therefore, I’ve got to be a lot more factual in trying to drive forward a picture of where we are now and where our gaps are.
"The key risk indicators we present to the board are a picture of where we are on our journey. And then I’ve got to pick and choose, and prioritise, because while the board might have some understanding of cyber risk, they lean very heavily on me and my team to provide the guidance. So we take a lot of responsibility on behalf of the organisation to decide what is the next risk," said the CISO.
Morbin then asked, should security teams use the desire that most organisations have for digital transformation to act as an enabler to approach boards to improve and update security?
Quentyn Taylor, Director of Information Security, Canon, said: "The whole reason we have a one team concept around product security is because if you are working in this fuction, you are walking in the business’s shoes. You’re attending the same sales meetings they are, you’re talking to the same customers. So it’s not a case of me saying to the board that security is very important, it’s their customers saying to me that we’re not going to buy your product unless you put the security in.
"But in B2B it’s absolutely critical. And that helps a huge amount when communicating with the board, because suddenly you can start to make links between what the customer wants and why we need the same thing internally," said Taylor.
Khadir Fayaz, CISO, Pearson, added: "At Pearson we are in the middle of a massive transition. We’re a 150 year old book company that is transforming into a digital eco-system based learning company. And as more and more businesses are becoming digital we all recognise that [security] incidents will happen – and so for us cyber risk is a clear business risk."
Morbin then detailed the results of a recent SC and Skurio survey, around 90 percent of those polled by Skurio believed the recent fines that organisations such as British Airways and Marriott have faced had been "fair and proportionate". He asked, to what extent has the fear of fines had on cyber security budgets?
"It’s the fear of reputation damage that is more of a concern for us," said James Marshall, Information Security Lead, Haymarket Media Group. "As we deal with a lot of customer data we had a lot of work to do in the run up to GDPR. We like to consider ourselves as the best in the fields in which we operate, so we wanted to ensure we protected that reputation."
Proudlock, added: "For us, it’s shot its bolt. I got the money last year and so if I was to ask for any more money for GDPR-related security my board would want to know why it wasn’t requested last year. It’s now a case of tweaking the edges – and the fines are less of an issue. But the reputational risk is very key and is something that does focus minds."
The roundtable concluded with the guests outlining their thoughts and offering advice to their peers.
"For me it’s a simple three-step approach: educate the board, emphasize the importance of security and show the efficacy of creating a secure approach around the business," said Fayaz.
"Deal with the board as individuals. Understand that each member has made it to the board on merit and so you just need to understand what makes them tick. But you won’t win every battle, so you need to be resilient. In fact, it’s not a case of win/lose, you just haven’t convinced them yet," said Taylor.
The CISO from the finance sector added: "People buy from people, I don’t talk to ‘the board’ I talk to individuals who sit on the board. I own very little risk, I’ve done my job if I make sure the people who do own the risk understand it and the controls that they are implementing to manage that risk."