With the scale, scope, and complexity of cyber-attacks increasing by the week, cybersecurity is increasingly being seen as a primary issue for CEOs & Boards.
Advice is not hard to find, and there are a multitude of information sources & standards; the in-house CIO will have a view, and of course there are a myriad of vendors, each with a solution that promises to be the answer to all security problems. Trust is at the heart of a successful security strategy, yet knowing who & what can be trusted, and whether that trust should be absolute or conditional, is extremely difficult.
In my conversations with CEOs I often ask them their degree of trust in five key security related areas:
• The people who work in their organisation
• The organisations in their supply chain
• The integrity, resilience & security of their existing infrastructure
• The integrity, resilience & security of cloud based infrastructures
• The advice they receive, both internal & external
Unsurprisingly, the answer to each question is always varying degree of conditional, but not absolute trust. Where the conversation becomes interesting, is where the CEO & I then jointly explore whether the infrastructure, processes, and policies of their organisation reflect their intent to avoid absolute trust in these five key areas. Invariably, the answer is no. Recurring examples of this inconsistency, each carrying significant organisational risk, are:
• IT administrators having unfettered & unaudited access to all corporate systems without effective security mitigations such as multi-factor authentication, and privileged access workstations in place
• HR departments not instructing the IT department to cancel user access privileges for days, often weeks, after an employee is terminated or leaves the company
• Supply chain contracts drawn up with no security provisions, standards, or audit clauses
• No due diligence or impartial advice at Board level on the assurances & assertions made by both in-house IT teams & vendors on integrity, resilience & security
A common closing theme of these conversations is the need for CEOs & Boards to have impartial advice and support to help them robustly challenge and undertake effective due diligence in this critical area, and the difficulty achieving this.
In the US proposed SEC regulation will mean that companies, in particular publicly listed firms, must have a cyber expert on their Board, yet there are currently very few executive or non-executive directors with this skill set, and who are comfortable operating at a Board level.
An alternative, but expensive position is to buy in the skill set from a third party, and there are many consultancies who will be delighted to have this conversation. However, some consultancies also have a vested interest in system integration, and their advice may not be as impartial as it seems.
Finally, there exists the challenging option of changing the relationship with key suppliers away from the classic customer – vendor to one closer to trusted strategic partner, supported by a robust due-diligence process. Many organisations are seeking to move closer to this type of relationship, whilst still maintaining sufficient distance to satisfy probity & procurement rules.
Whilst each of these options have challenges, the reality remains that without a trusted cybersecurity advisor, CEOs & Boards will continue to make decisions without effective challenge or scrutiny, that leave their organisation vulnerable to cyberattack.
Robert Hayes is a Senior Director and Executive Security Advisor in Microsoft’s Enterprise Cybersecurity Group and an Advisor to Venatus.
Please fill out the contact sheet below, contact us at firstname.lastname@example.org, or call one of our offices:
+44 (0) 207 294 7532
+40 21 306 00 00
+1 603 339 3469