The role of the Board in relation to cyber security is a topic which is widely discussed amongst security communities on social media. We have asked Corix Partners founder and global cyber security influencer JC Gaillard to give us his views on this matter which he has been following closely since 2015.

Following the avalanche of cyber-attacks we have been seeing over the past few years, is cyber security now definitely on the Board’s agenda? I would say

Yes; cyber risk is now consistently identified as a top business risk by the Board in most organisations, but overall, although the topic of cyber security is now definitely on the board’s agenda in most organisations, it is rarely a fixed item. More often than not, it makes appearances at the request of the Audit & Risk Committee or after a question from a non-executive director, or – worse – in response to a security incident or a near-miss. All this hides a pattern of recurrent cultural and governance attitudes which could be hindering cyber security more than enabling it.

What is the biggest mistake the Board needs to avoid, to promote cyber security and prevent breaches?

The biggest mistake would be to downgrade the topic; to believe that, although cyber risk is a top-ranking risk, cyber security is something that needs to be dealt with somewhere below the Board, across the organisation; something which can be left to IT to “sort out” Of course, each organisation is different and the COVID crisis is affecting each differently – from those nearing collapse, to those which are booming – and as a result, the Board has a very complex agenda to deal with, dominated by uncertainty. But pretending that the protection of the business from cyber threats is not a relevant board topic now borders on negligence and is certainly a matter of poor governance which non-executive directors have a duty to pick up. Cyber-attacks are in the news every week and have been the direct cause of millions in direct losses and hundreds of millions in lost revenues in many large organisations across almost all industry sectors. Data privacy regulators have suffered setbacks in 2020: They have been forced to adjust down some of their fines (BA, Marriott), and we have also seen a first successful challenge in Austria leading to a multi-million fine being overturned (EUR 18M for Austrian Post). Nevertheless, fines are now reaching the millions or tens of millions regularly; still very far from the 4% of global turnover allowed under the GDPR, but the upwards trend is clear as DLA Piper highlighted in their 2021 GDPR survey, and those number should register on the radar of most boards. Finally, the COVID crisis has made most businesses heavily dependent on digital services, the stability of which is built on sound cyber security practices, in-house and across the supply chain. Cyber security has become as pillar of the “new normal” and even more than before, should be a regular board agenda, clearly visible in the portfolio of one member who should have part of their remuneration linked to it (should remuneration practices allow). As stated above, this is fast becoming a plain matter of good governance. The actual subject-matter expertise could be provided by a board-level committee structure, as Gartner has recently suggested, as long as it does not dilute accountability and responsibility, which has to stay firmly and unambiguously with one Board member.

Leaving cyber security to the CIO and the CISO to deal with is still quite common unfortunately; what does that hide and why is it such a big problem?

This is a dangerous stance at a number of levels. First, cyber security has never been a purely technological matter. The protection of the business from cyber threats has always required concerted action at people, process and technology level across the organisation. Reducing it to a tech matter downgrades the subject, and as a result the calibre of talent it attracts. In large organisations – which are intrinsically territorial and political – it has led for decades to an endemic failure to address cross-silo issues, for example around identity or vendor risk management – in spite of the millions spent on those matters with tech vendors and consultants. So it should not be left to the CIO to deal with, unless their profile is sufficiently elevated within the organisation. In the past, we have advocated alternative organisational models to address the challenges of the digital transformation and the necessary reinforcement of practices around data privacy in the wake of the GDPR. They remain current, and of course are not meant to replace “three-lines-of-defence” type of models. But here again, caution should prevail. It is easy – in particular in large firms – to over-engineer the three lines of defence and to build monstrous and inefficient control models. The three lines of defence can only work on trust, and must bring visible value to each part of the control organisation to avoid creating a culture of suspicion and regulatory window-dressing.

How do you create truly transformative dynamics around cyber security? Is it just a matter of “throwing money at it”?

The protection of the business from cyber threats is something you need to grow, not something you can buy – in spite of what countless tech vendors and consultants would like you to believe. As a matter of fact, most of the breached organisations of the past few years (BA, Marriott, Equifax, Travelex etc… the list is long…) would have spent collectively tens or hundreds of millions on cyber security products over the last decades… Where cyber security maturity is low and profound transformation is required, simply throwing money at the problem is rarely the answer. Of course, investments will be required, but the real silver bullets are to be found in corporate culture and governance, and in the true embedding of business protection values in the corporate purpose: Something which needs to start at the top of the organisation through visible and credible board ownership of those issues, and cascade down through middle management, relayed by incentives and remuneration schemes. This is more challenging than doing ad-hoc pen tests but it is the only way to lasting long-term success.

By Jean-Christophe Gaillard

Keywords: Cybersecurity