1 The CEO Cyber Manual
If we were to travel back in time, no one would have imagined that there would be a day where a global pandemic would strike, causing massive social upheavals, affecting almost every sector. The COVID-19 pandemic which came swiftly to different nations in 2020 has impacted life as we know it, including how we work, interact with each other, and essentially, live life.
Businesses and educational institutions have shut down, employees have been forced to work from home or remotely from other locations, supply line chains have been disrupted, individuals have been compelled to self-isolate, and most travel, in-person meetings , and conferences have been prohibited. When we started writing this book, these interruptions had already been going on for several months. Even as we put our pens down, nearly two years later, the times that we are living in have changed drastically, and the economic, commercial, and social consequences will continue to be felt for years.
Nonetheless, businesses need to operate in this new environment. Livelihoods depend on it. Corporate operations and services need to keep running smoothly and efficiently. Technology has been a viable solution, used in both conventional and creative ways.
With more businesses adopting digital technologies in their bid to improve efficiency, value or innovation, we have found ourselves in the age of digital transformation. Many processes and services are continuously moving online, and technologies like cloud computing, robotics, drones, artificial intelligence, chatbots, virtual realities, augmented reality, autonomous systems, and the Internet of Things are shaping the future of the workplace.
Technology currently plays a vital role in all activities, from operations in healthcare, business, education, government, court, community service to consumer-connected houses. Recent technological advancements have significantly altered what and how we conduct our everyday personal and business activities.
While many C-executives are excited about how technology has enabled businesses and individuals, its adoption comes with drawbacks, such as increased interconnectivity and dependency with third parties. The dependence also applies to technology, raising concerns about emerging cyber risks.
As boards are frequently seeing cyber-attacks (caused by nation-state attackers, all the way to the average malicious attackers) and warfare coming up in the headlines, it is natural for them to be increasingly concerned and wary about businesses falling victim. At the same time, business stakeholders have found themselves overwhelmed by the technical jargons and misalignment between business and cybersecurity. In this handbook, we describe each executive position's responsibilities and expectations to achieve a cyber-resilient business.
In our first chapter, we’re going to answer the main business stakeholders’ interrogations by addressing the following topics:
- Why should cybersecurity be a CEO’s priority?
- Understanding cyber risks and their implications on a business
- Understanding cybersecurity challenges, organization, and reporting
- Quantifying cyber-cost vs. return on investment
- Building cybersecurity culture relevance
- Preparing the business for cyber-attacks
- Cybersecurity considerations for a CEO’s first month
- Questions to ask yourself as a CEO in considering your cyber risk coverage
Why should cybersecurity be a CEO’s priority?
As a chief executive officer (CEO), chief administrator, or just chief executive (CE); in charge of managing an organization, five goals in the new normal are critical for the business:
- Cloud and digital transformation, accelerated due to long-term remote working.
- The speed with automation, supported by technology adoption.
- Sustainability, at the heart of all initiatives.
- A purpose-based business at the heart of the capital market transformation.
- Skills development and talent retention, getting harder by the day due to changing job market demand.
We live in a globally connected world, where information is the lifeblood, and technology the blood vessels of an organization. Traditionally, companies build trust through physical files and locks, protecting their customer's interests with manual security processes. As businesses evolve and the nature of how they deliver products and services to customers change, their reliance on technology also increases, whether they realize it, or not. Today, customers interact with businesses through digital channels, creating a plethora of digital data, bypassing any forms of physical paper and files. Through this change in customer expectations, businesses try to keep up, and sometimes even try to stay ahead of the curve by adopting new technologies, including cloud networks, the Internet of Things (IoT), artificial intelligence, and Blockchain at a fast rate. The year 2020 specifically saw an explosion of digitalization, driven by people who were forced to work from home. Quarantine requirements meant that customers no longer can just walk into any physical store. Due to the threats posed by COVID-19, companies needed to adopt more technology-driven business models to remain competitive.
These changes are beneficial for the business, as they increase revenue by providing automation, better customer service, all at the tip of the customers’ fingers. However, the intangibility of data and assets stored in digital form in the cloud and technology systems has introduced an element of neglected trust, creating a false sense of security.
These transformational changes, including the increasingly complex ecosystems in which companies operate, has inevitably increased an organization’s risk exposures and, therefore, their cyber risk. Due to the intangibility of data and digital platforms, CEOs historically haven’t been able to see a clear value in investing in cybersecurity and the emerging risks that technology adoption brings. “I am not a target, and I have an information technology team working on the problem. I am safe.” Such are some of the typical regular feedback that we have been hearing from other leaders in organizations.
For many other businesses, cybersecurity is still seen as a nice to have, a non-functional requirement driven only by customer demands. It is therefore unfortunate that it has taken businesses falling victims to cybercrime before they start seeing cyber risk as a tangible business risk.
With businesses becoming more dependent on technology to provide services to customers, and with new changes to their operating model, CEOs need to re-evaluate the way they are going to retain trust with their customers.
Dependency on technology; a critical business failure blindspot
Businesses now have more flexibility, automation, and mobility thanks to technology. It's unsurprising to see how reliant company owners are on technology and how technology aids in the growth of businesses. According to a recent study, over 48% of company owners say that the ability to operate their firm from a mobile device is critical. This statistic is supported by the fact that a typical company owner uses their mobile device at least 21 times every day.
The mass digitisation of core business processes from sales to accounts receivable, business analytics, production lines, cost optimization and productivity improvement, has opened up the potential impacts technological failure has on a business. Every business process relies and depends on technology, from a simple spreadsheet, to a complete technology platform.
'Cyber risk' is defined as any risk of financial loss, disruption or damage to an organization from some sort of failure of its information technology systems from a cyber threat. This risk extends to technology disruption, data loss, theft or disclosure, and product recalls as examples of plausible business risks or cyber risks.
Every organization (and indeed every individual) is a target. The dependence on information and technology has exponentially exposed all to cyber risk, regardless of industry, size, or geography. It is simply not realistic to claim that “we will never be attacked” or that “it won’t happen to us." It is widely acknowledged that companies fall into two categories; the ones that have been hacked and those that do not know yet that they have been hacked.
The more technological-savvy and even cyber-aware CEOs know that changing business models and growing technological dependency leads to newly emerging cyber risks. which would have a tangible impact on their business. This is a starting point for organizationsto address those cyber challenges and decide on adequate and cost-effective cyber initiatives. Building security early into a new technology platform would often be cheaper than having to rework the solution at a later stage,
Cybersecurity is a critical environmental, social, and governance (ESG) pillar
Investors today are just as concerned about the firm’s cybersecurity posture as they are about system capability and operational stability. They often review data protection and information security policies to assess its cyber risks. As our digital economy continues to flourish and evolve, executive management and global investors are also rapidly becoming more cognizant of the widespread business and social impact of a cyber breach (such as a financial or a reputational damage). Cybersecurity, which was once primarily a technological problem, is now recognized as a critical environmental, social, and governance (ESG) concern, and seen as a key metric under the “social” pillar.
ESG frameworks are a practical way to assess business behavior; by including cybersecurity, a new dimension is introduced, providing insight into how an organization demonstrates cyber behaviors and risks, which are both vital elements of the overall ESG picture.
As the global workforce has shifted to working from home, more people are exposed beyond the security protections offered by their office IT systems and environments.This has resulted in an increased vulnerability in the company’s security defenses (perhaps caused by insecure habits due to lack of awareness or security apathy), leading to more frequent cyber incidents, and naturally raising more attention in the area of cybersecurity. If companies do not sufficiently safeguard their information networks, they risk being fined in the event of a breach and/or losing their reputation. We have seen this becoming increasingly common in the IT sectors, consumer discretionary, financials, and communication services, and sectors which traditionally haven’t invested as much money in cybersecurity.
Cybersecurity is a growing industry, with a core security spending estimated to reach $1.75 trillion cumulatively for a five-year period from 2021 to 2025, according to Cybersecurity Ventures. Cybersecurity has become a social concern, and a global perspective needs to be factored in, accounting geographical and geopolitical data in analysing cyber-attacks.
Increasing investment in a company’s systems, products and services for a protection uplift against cyberattacks can benefit many businesses and the different industry sectors, which makes cybersecurity a fascinating proposition for organizations, investors, and the general public. Although including cybersecurity as an ESG metric is still a relatively new concept, there is an undeniable increase and continued interest in this across the board. In a discussion Shamane had with a group of board directors, they highlighted with great enthusiasm that the current two hottest topics that are constantly being brought up at the boardroom, is “ESG” and “cybersecurity”.
Cybersecurity is no longer just a technical problem; and it’s also not just here to stay as an ESG concern, but will further expand with time. Now that we’ve unpacked the role and future of cybersecurity in the ESG pillar, in the next section, we will dive further into understanding the business fundamentals concerning cyber risk. We will demonstrate how cybersecurity can be aligned to business goals and priorities, and help translate the technical jargon into business risks.
Understanding cyber risks and their implications on a business
Cybersecurity is often an afterthought, a contractual requirement, a compliance check box, and a functional requirement in a tender. It has rarely been included as an embedded strategy within the business. As cyber risk is perceivably complex and intangible (until victimized by cyber-attack), many have challenges understanding and evaluating the need to incorporate it into their business plan and enterprise risk in general.
The below list some common questions that have been often raised by executive leaders:
- “What is my cyber ROI?”
- “What is my exposure?”
- “What are my losses in the event of a cyberattack?”
- “Will a cyber event cause physical damage to our systems?”
- “How much should I spend on cybersecurity, and what should I prioritize?”
- “How ready would we be if a significant security event were to occur?”
These questions raise and define the current challenges with cyber risks. The recent race to adopt digital solutions for business coupled with a lack of awareness and fragmented regulation has created the urgent need for organizations to develop awareness and understanding of cyber risk exposures, the general importance of cybersecurity, and its ROI (Return on investment).
Many organizations overlook the importance of aligning cybersecurity with their business goals. Protecting businesses from cyber-attacks and data breaches is crucial and require skilled resources with an adequate budget. However, it doesn’t just stop at purchasing an expensive tool, or getting your IT team to work on them. Security programs should have a lifelong projection, and there is never an “end date”. Cyber risk management needs a holistic risk approach that incorporates mitigating controls across people, processes, and technology. It needs to align with the business priorities and risk appetite. In assessing their approach and budget for cyber risk management, organizations must consider their cybersecurity risk management process against their business goals. This requires starting with understanding the risk appetite, which is one of the initial variables to establish. Cyber risks are often inadequately or not addressed by business stakeholders, probably because they lack the awareness or maturity to do so. Organizations always tend to bury cyber risks into technology risk, which in turn gets buried under operational risk. Cyber risk is not just malware, but they could be, for example, a significant business interruption due to a cyber-attack (perhaps through malware) on the company’s systems.
A cyber risk could result in business operation disruptions, data breaches, data loss, and/or reputational damage. Unfortunately, yet many started viewing cyber risks as a risk.
Cyber risk is a business risk, in the same way, traditional risks are. Just as any business that operates an office would take precautions to protect against property threats, organizations today need to protect themselves from technology risks, especially with the increasing adoption of work from home policies and more business activities performed solely based on technology.
Mitigating cyber risk requires cybersecurity controls to protect information and systems from unauthorized access, loss, theft, and disruption. Organizations need to ensure that information, applications, and IT systems are easily accessible to staff and authorized users and, at the same time, protected from harm, including disruption, while keeping their approach worth the investment. Those controls are not limited to technical solutions but are based on a balance between people, process, and technology controls.
Lastly, it remains challenging for organizations to rely on the right resources and skill sets. Too often perceived as an IT problem, it becomes one when professionals support cybersecurity without the right skills, experiences, and qualifications.
Local regulations influence cybersecurity maturity. In some countries, governments have been proactive and built regulatory frameworks to support companies in their cybersecurity journey-- directing them via guidelines, laws, and regulations. In Singapore, specific grants (e.g. GoSecure Programme) are available to businesses to co-finance cybersecurity initiatives to expedite the adoption of basic cyber hygiene in the country. Inevitably, when organizations and industries fail to meet community expectations and address consumers’ safety and security, the government's role is to step in through regulation. There are other examples of government backed schemes (e.g. Cyber Essentials) in the UK or in Australia (e.g.
Cyber Security Skills Partnership Innovation Fund). The level of involvement and role that the government plays differ in different countries as there isn’t a one-size fits all model.
A CEO or a business leader needs to understand this before starting, hiring, or discussing their business cyber capabilities. Cybersecurity is not an IT problem – it is in actual fact, a business risk.
In the next section, we demystify the current cybersecurity challenges, highlighting the critical questions: Why do companies get continuously hacked while, in appearance, doing the “right” thing.
Understanding cybersecurity challenges, organization, and reporting
Cybersecurity is a young and emerging profession. While many CEOs and board members have extensive cross-functional experience in accounting, finance, marketing, or HR, few have much cybersecurity experience. As a result, cyber risks are currently not commonly understood in board rooms. Many companies leave cybersecurity to the organization's CIO/CTO, and cyber risk management is perceived as a cost confined to the IT department where it must compete for resources/budget against new initiatives for revenue generation, profit increase, customer acquisition, etc.
A CISO who is responsible for the confidentiality , integrity and availability of the data often finds themselves reporting to a CTO or a CIO. While this structure is common, it has been proven ineffective due to the CISO’s inherent objectives and associated conflict of interest with the CIO or CTO. The CTO aims to ensure that for any business technology that is implemented, it is completed within the timelines. While security on the other hand, might slow the process by requiring further checks and tests before the launch. In many cases, this might not seem a business priority.
When Hai was the Chief Information Security Officer (CISO) at Western Australia Police Force, he even suggested to a senior executive, “If security is responsible for availability, integrity, and confidentiality of information, then perhaps the CIO/CTO should report to the CISO, rather than having to compete for organizational resources." This was an approach to shift the executive’s mindset about how the role of security was perceived.
Although the senior executive's counter view was that security was 'healthy' for competing with other business facets for resources, it is a fact that cyber risk is indeed a business problem that can only be solved through collaboration, not competition.
The IBM’s Cost of a Data Breach Report 2021 (https://www.ibm.com/au-en/security/data-breach) revealed that 2021 alone has seen the highest average total cost of data breaches in the 17-year history of their report. It rose from USD 3.86 million to USD 4.24 million in 2021, and those figures show that it is getting too costly to recover from a cyber-attack than to address security by design right at the initial stages.
As previously stated, many organizations expect that their Information Technology (IT) department would have them covered. However, having worked with IT departments across law enforcement, government, academia, and the private sector, Hai adds, “I have seen that most IT departments do not have the capability and capacity to manage cyber risks or the skillset necessary to address technical security controls.”
Cybersecurity and Information Technology: similar skills but different focus
Left to the IT department, cybersecurity is often considered a technical issue, a cost center, and a low-priority task that competes for budget against other IT projects that demonstrates better return on investment for the business.
In Asia, approximately only 10% of companies that Magda has interacted with, hired a Chief Information Security Officer. In her many years of experience, Magda has had most of her customers rely on their IT teams, rather than cybersecurity teams, to perform the work.
A misaligned organizational structure often leads to operational ineffectiveness and challenges. A common challenge that many cyber professionals face is the ability to influence business leaders within their own organizations. Cybersecurity executives are just like any other executive and should have the ability to communicate effectively. Even though they might be mostly technical, having communication skills at the leadership level is critical. CISOs are expected to understand what their organization does, from a business perspective, and be able to relate business strategies (in some cases, even customer engagement). A common discussion on social media revolves around how the CISO, or the equivalent security executive, should be able to communicate and influence executives, and that a failure of this, should be seen as a failure on the security function.
Unfortunately, cyber is sometimes a thankless job, with an 18-month average turnover rate for a CISO. In an interview Shamane conducted with a group of APAC CISOs, they attributed stress as a key factor, including misalignment of views with the senior leadership team, as well as at a larger scale, the culture of the company. There is only so much a CISO can do. This is no solo effort however, as it would require having the appropriate delegation, resources, and leaning on both the senior management, as well as immediate teams. In essence, corporate success is a team effort. A commendable progress though, is that IT and security have increasingly been recognized as a critical component to professional success over the years. Hai’s career timeline and progression is one good example:
- In 2005, when Hai was the IT security manager in a government agency, five levels of management were above him, reporting to the Chief Executive.
- In 2009, when he was the Associate Director of Information Security at a university, there were three management layers between his position to the Chief Executive.
- In 2013, as CISO of a police force, there were two management layers between his position and the Chief Executive.
- In 2020, Hai held both the Chief Executive Officer and Chief Security Officer positions for a not-for-profit organization.
It is notable that while on the surface, being appointed both a C-executive (CxO) and CSO/CISO might be seen as demonstrating a commitment to cyber by making a CxO accountable for cyber through a secondary appointment as the CISO/CSO, CEOs need to appreciate having a CISO in the same way they would their CFO or CIO. In a digitally connected world fraught with cyber risk, the CISO and their team will help keep their organizations running.
Beyond technology; cyber risk is a business risk
Security professionals have been addressing cybersecurity for years using technical jargon. This trend has been driving a wedge between the cybersecurity leaders and the business.
The CEO needs to be the organization’s cybersecurity leader and role model. They need to promote a cyber safe, active, and responsible culture where each team member understands their responsibility in managing cyber risk to the business and that cybersecurity is not merely an ‘IT problem.’ Everyone in the organization has a critical role. Once in agreement with the cybersecurity strategy and roadmap defined by the CISO, the CEO needs to back its communication, adherence, and enforcement to ensure everyone in the organization plays a critical role to achieve cyber safety for the organization.
As seen in the news with Garmin, Toll, My Budget, Travelex, Lion, just to name a few, when cybersecurity fails, it affects the whole business, not just the IT department. It’s crucial to think about cyber first and make it a business-wide joint function that coordinates security, finance, HR, corporate risk, and IT.
Today, we are in an era where many people’s work environment has permeated into their homes with global remote working from home; our homes have become a greater target for new cyber-attackers to prey on. Ensuring that your cyber risk is part of your overall enterprise risk management process and framework is essential.
Tackling cyber challenges requires a strong security culture, prioritizing cyber risks, and addressing those accordingly, maintaining it within an organization’s risk tolerance. An organization is led by the CEO and supported by a team driving the same values and goals. If the CEO supports a cyber-aware culture, all stakeholders will consider cybersecurity as part of their priorities and address it.
Cyber risk, while intangible, can be identified by the CISO, who will then define the right strategy and roadmap in alignment with the company's risk tolerance. The strategy should consider the previously identified cyber challenges, the company's current security control landscape, identified gaps and the roles and responsibilities of its workforce,whilst maintaining alignment with the organizational business strategy, trajectory and stakeholders.. Everyone within an organization has a role. This handbook describes all business executive's responsibilities and expectations to achieve a resilient cyber-secure business.
In summary, cybersecurity professionals need to be encouraged to avoid using technical jargon and align their thinking towards business impacts. In the next section, we start by taking what seemed like a cyber technical jargon to many, and examine these commonly interchangeable words: “data breach” and a “cyber attack”.
Demystifying a data breach and a cyber attack
Let's distinguish a data breach between a cyber-attack:
- A data breach occurs when personal information is accessed without authority.
- Data breaches, in general, are also personal data breaches, and they may be either unintentional or purposeful.
- A cyber-attack is more severe than a data breach since it is more likely to impact the organization more directly.
Data breaches are just one of many different types of cyber risks that businesses of all sizes and industries face daily. A data breach might happen without a cyber-attack when there is a misconfiguration, and unauthorized parties manage to access data.
The size and scope of a security event or a data breach varies. It differs from one business to another. A data breach or a security event may have a significant financial and reputational effect.
Although a security event may be mitigated by a timely, deliberate, and well-organized response, without sufficient preparedness, companies can undoubtedly be subjected to severe consequences from which they may never completely recover. The CEO needs to understand the impacts and financial consequences for a business when a cyber incident occurs, and we will discuss this further in the next section.
Understanding the real business impact
While only some organizations are cyber mature, most think that they are, and many still believe that they are not a target for cybercriminals. They have little to support their current comfort level, other than they have not yet experienced any discomfort. However, it could already be too late when they do encounter a cyber incident. According to IBM's Cost of a Data Breach Report 2021, the average cost of a data breach in the United States is an alarming USD 8.64 million.
Many small businesses would not even survive such an expense, and larger businesses will still feel the pain of such financial impacts. Beyond the financial fines, other losses include direct and indirect losses following a cyber-attack or a data breach, or both. Imagine the investigation or forensic costs, profit losses due to reputational damage, revenue losses due to business disruptions, share value impact, incident response costs, customer notification costs, recovery costs, etc. Everything just adds up.
A data breach may result from a security event or incident, but it may also arise from a non-security related event. With the diversity of privacy and breach reporting regulations, for example, the requirements and consequences of a data breach may vary and, in some instances, overlap.
Penalties are generally the first fees that businesses evaluate. There are, however, other significant expenses of a data breach and we unpack them in the pointers below:
- When a security event or a data breach happens, companies must analyze a variety of criteria to determine the true financial ramifications, expenses, and losses.
- Notification costs might include fees, charges, and expenditures required to inform persons, regulatory agencies, and any other parties involved that need notification. Following the notice, a corporation should be prepared to respond to questions and any clarifying issues, as well as class action lawsuits. Those activities have a monetary cost.
- In addition, the expenses of a data breach may involve forensic investigations, which may result in an apology (for example, in Japan), a change in processes, improved security precautions, and compensation for loss or damage. These variables contribute to the company's financial losses after a data breach, both directly and indirectly, and are included in the cost of a data breach.
In the event of a successful cyberattack, a company might face significant consequences, such as interruption of essential systems, business operation, damage to the integrity of business data, business stagnation, and so on. We break down the different factors attributing to the financial impact of a cyber attack below:
- Financial losses resulting from direct and indirect expenses and third-party expenditures are included in the economic costs.
- Third-party expenses, such as forensics costs, notification costs, share value losses, and so on, may develop in addition to the immediate interruption, employee overtime, communication costs, or direct expenditures (recovery costs).
- On a medium timescale, the impact of these events might be a loss of customers, a decrease in sales, and a decrease in earnings. However, with time, this might lead to a reduction in market share, a decline in value, or a delay in an initial public offering (IPO), and so on.
- In the event of a successful ransomware cyber-attack, the firm may experience business disruption or operational paralysis. When a company's activities are interrupted, it suffers a financial loss. This loss encompasses apparent and hidden components, such as lower sales and higher labor costs, and future income streams lost due to possible reputational harm.
- Returning to the economic impact of a cyberattack, the organization should assess the overall recovery time. The entire recovery time refers to when the interruption has an impact on a company's operations and finances, including expenditures associated with market recovery.
According to Comparitech, breached firms underperform in the market over time, growing by 8.38 percent on average the following year but still underperforming the Nasdaq by 6.5 percent. Target's data breach in 2013 is another fantastic example from the RSA blog. Target experienced a significant data breach that exposed the personal information of about 70 million people. The cost of this data breach was estimated to be $252 million. Following the stock price decline, the corporation must reclaim whatever market share it may have lost due to the occurrence. The significant reputational damage impacts the time it takes to recover, resulting in a greater loss of market share and more time spent resuming operations.
All ‘successful’ cyberattacks leave an impact that will affect an organization financially. Depending on the sectors, the extent of the damage would vary. Take for example, a cyber-attack against an industrial control systems (ICS) could result in physical damage, such as fire or explosion, and even loss of lives. Recovery from a cyber incident may not only be costly but lengthy as well, such that business could be interrupted or stalled while the situation is being rectified.
The 2017 WannaCry Ransomware was a prime example where more than 200,000 computers were affected globally across industries. User’s files were held hostage and Bitcoin ransom was demanded. With over 150 countries affected, this had an estimated cost of $4 billion to global economies.
In conclusion, the cost of a cyber-attack is not merely the direct, immediate expense of restoring a server or an IT activity. It's a complicated calculation that takes into account all of the commercial ramifications. It is the price of a business risk becoming a reality. Additionally, the financial, reputational, and legal consequences of a security incident are not measured while the associated financial losses can also be quantified. This quantification gives a greater clarity and insight into actual cost and return of Investment (ROI) for cybersecurity investment which we will unpack more in Chapter 5.
To summarize everything in this section, good cybersecurity enables organizations to build and protect their reputation and trust with their customers. To succeed, organizations need to ensure the proper risk management fundamentals, the right structure for the cybersecurity team, and empowerment. While the trend to elevate cybersecurity to the C-Suite is a step in the right direction, making it a secondary response of another CxO is counterproductive.
In the following section, we address the importance of cybersecurity awareness and work culture in building and nurturing a cyber-ready company.
Building cybersecurity culture relevance
The CEO needs to lead in promoting a cybersecurity culture that reinforces that cybersecurity is an organization capability rather than just a problem for IT to solve.
Strong cybersecurity culture is a set of core beliefs that drives the organization to behave in unison, when faced with security challenges. An established, well-thought-out board-approved cybersecurity plan is only helpful if every staff member understands their role and responsibilities in cyber security, appreciates the cyber threats, complies to security measures and guidelines, and understands what it means to remain cyber-vigilant.
A cybersecurity plan needs to be approached holistically to be successful. Everyone must understand that processes and technology play a critical role in developing and maintaining a robust cybersecurity culture. Cyber risk must be taken as seriously as mundane risks, such as natural disasters or acute illnesses. Most importantly, we test, audit, practice, and rehearse, keeping in mind that the goal isn't to be 100% secure. Cyber-resilience is about understanding security threats, maintaining effective security controls, and that cyber incident responses are swift and focused to reduce on-going impacts.
One of the biggest cybersecurity challenges is knowing where to start and what good cybersecurity practices and processes look like. Regardless of an organization’s cyber maturity, the cyber resilience goal of any company should be about the preservation of business operations, protecting the confidentiality of its data, and in the event of a cyber-attack, recovering as quickly as possible with minimal disruptions and losses.
In an organization where the CEO and the board are cyber-savvy, the organization naturally develops a culture where the staff understands that security is about business continuity. A risk to information availability, integrity, and confidentiality affects business continuity, a topic which we will delve a little deeper in the next section.
A cyber-secure organization begins with a cyber-savvy CEO and Board. It does not start with technology and cannot be left to the CIO or CTO.
Understanding cybersecurity at the board level does not require an understanding of security jargon or technical terminology. It comes down to defining the business risks that might materialize following a cyber event such as a data breach, business disruption, or data theft.
When the Board and management are aligned and clearly understand its cyber risks, their risk tolerance needs to be defined and agreed upon before building or discussing cyber strategy.
The following table is an example of risk considerations for a business. The board and the CEO must acknowledge and consider cyber risks at the same level of other prioritized risks for an organization.
Table 1.1 – An example of high-level risk considerations
According to a study conducted by Allianz, out of 2,700 risk management experts in over 100 countries surveyed identified cyber incidents as the ‘most important business risk’ in 2020, a vast difference from 2013 when it ranked 15th place in a survey. (See https://www.agcs.allianz.com/news-and-insights/expert-risk-articles/allianz-risk-barometer-2020-business-risks.html)
The below table proves an increased awareness about the negative impacts that cyber-attacks might achieve for a business. Business stakeholders are more and more concerned about the implications for their companies and have started prioritizing cyber risk in their risk management process as per below:
|3||Changes in legislation|
|7||Climate change, increasing volatility of weather|
|8||Loss of reputation or brand value|
Table 1.2 – Risk Type vs. Priorities
Note to PD: Please convert this table into an image and caption it Table 1.2 – Name TBC
Combating cyber risk will require cyber culture to be well embedded within the organization. All staff must understand the fundamentals instead of merely complying with policies and following technical guidelines. At the very top, where senior management must lead by example. Cyber security strategies must align with business goals and be assessed against an organization's risk tolerance, and planned and executed accordingly through collaboration between the business units and not be in competition for resources. All staff must understand the fundamentals instead of merely complying with policies and following technical guidelines.
When an organization has established good cybersecurity fundamentals across the board, the business can operate effectively and without major disruptions or regulatory implications.
The CISO is an invaluable resource and leader in helping the organization solve and ascertain their best cybersecurity strategy - however, they cannot do this alone. The organization’s cybersecurity strategy is a collaborative strategy that requires everyone’s involvement, especially when the organization is undergoing a cyber-attack or is suffering from a disaster caused by a cyber-attack. CEOs and The Board need to understand that it isn't a question of whether their organization is breached, but a matter of being prepared when it does. The following section explores this in detail.
Preparing the business for cyber-attacks
Current cyber-attacks are targeted and very well defined, designed to cause maximum impacts and disruptions to a business’ operations.
A CEO needs to be prepared, by preparing their business for such situations. Often, organizations wrongfully believe that because they have an extensive security team, a cyberattack will never succeed, or that because they have made a substantial investment to protect against attacks, a cyberattack will never be successful. Those are myths - 100% security is neither the right goal nor a realistic target.
Securing your organization is also about ensuring that if an attack does prevail, is the business still able to continue its operations? Can it adapt and evolve to disruptions? Business resilience is about keeping your information assets available as it is about keeping them safe. In turn, this builds trust amongst customers and protects your reputation. Hence, it is crucial to plan for failure, including security control failures. Preparing for loss ensures that your organization can survive and continue to operate while other preventive measures are built over time. This will help you cope with the threat of a cyber incident and prepare your business to deal with other disasters.
Gillian Findlay, board member, former CEO at Vamp, a global branded content platform, and former COO at Australia’s SaaS unicorn, SafetyCulture, shared a CEO’s concerns, "There are so many cyber security issues that should be front of mind for any CEO, but ransomware has become the most front of mind. We cannot expect end users to protect their company from this threat, so companies must secure end-user devices while enabling the employees to work efficiently and effectively. Otherwise, ransomware breaches will continue to blight our lives."
While many CEOs and board members might consider the risk of becoming a victim of ransomware or might think that their IT department will restore from backups while the business reverts to manual processes, very few organizations have put that to the test. Those who have put that to the test have done so because of a real crisis and discovered that reverting to manual processes or restoring backups was easier said than done. More about BCP will be detailed in Chapter 7.
Next, we’re going to discuss cybersecurity considerations as part of a CEO’s new leadership assignment for the first month of his tenure.
Cybersecurity considerations for a CEO’s first month
With so many pressing issues requiring their attention, many newly appointed CEOs overlook the importance of cybersecurity in their first month or even first year on the job.
A newly appointed CEO needs to ensure that a CISO and their team are in place and effective while understanding the organization’s cyber risk posture - from its cyber risk, risk appetite, to risk tolerance. Unfortunately, threat actors and cyber risks will not wait until a CEO is ready. Some cybercriminals may also view leadership change as an opportunity to attack if they believe an organization is unprepared. This also concerns Mergers and Acquisitions. A cyber disaster could ruin a CEO; a cyber event leading to significant data loss, data theft, or business interruption may jeopardize the CEO’s reputation, position, career, revenue, and operations.
A newly appointed CEO will prioritize reviewing their cyber incident response preparedness, business continuity plan (BCP), and disaster recovery plan (DRP) and evidence that these plans have been regularly exercised and updated. The plans must include and adequately address technology considerations and vendor support. Having a current and well-rehearsed incident response, BCP and DRP will ensure that the organization will quickly recover and continue, or resume operations in the event of a cyber disaster. Ultimately, this helps to minimize the consequences of a cyber catastrophe if, or when one occurs. Ideally, the BCP should encompass the cyber incident response. However, Magda has also witnessed in Asia a lack of integration, where the BCP remains focused on a simple IT DR plan, and doesn’t consider a significant cyber-attack.
A CEO must consider their visibility on the organization’s crisis communication plan. To this end, templates and guidelines for communication from the CEO to staff, media, customers, and the public should be included in the BCP. Communication in case of a cyber-attack is critical for reputation management and customers' trust. A mismanaged cyber communication plan will undoubtedly impact the share value of a business.
The CEO is able to address tactical issues of ensuring incident response, business continuity, and recovery from a disaster with a sound security strategy.
If an organization does not have an established cybersecurity strategy or team, the CEO needs to prioritize establishing one immediately. This begins with understanding and communicating that cyber risk is a major concern to the company’s board and seeking cyber budgetary approval. If there is no internal expertise available to identify and lead discussions to address and define the organization's current cyber exposure, residual risk, and risk tolerance, the CEO may engage an external cybersecurity consultant in the interim while hiring a CISO to build internal capabilities.
Natural disasters, pandemics and other types of crisis, both foreseen and unplanned, are unavoidable. Their effects may be minimized through improved readiness and efficient planning. In this first chapter, we have clarified the importance of cybersecurity and its challenges to the business. Crisis may radically modify not just our ideas and behaviors but also business and industry in various ways.
In the post-COVID age, businesses can uplift their cyber resilience by preparing for emerging cyber risks. . A cyber-resilient business identifies its cyber risks beyond the Information Technology department, defines its risk appetite and tolerance, and builds its cybersecurity strategy that gets embedded into the business’ operations and activities as a fundamental must-have and not an afterward thought.
Questions to ask yourself as a CEO in considering your cyber risk coverage
A challenge for non-cyber executives is knowing the right questions to ask, such as the following:
- Does my organization consider cyber risk within the enterprise risk management process? Or is it yet considered an IT problem?
- Are all the C-suite held accountable for cyber risk, or has it been left to the CIO or CISO/ CSO?
- Do I understand the organization’s assets, including intangible ones?
- Do I understand that my organization’s cyber strategy should be based on identifying risks, mitigation/transfer/approval/transfer of cyber risks, response, and recovery?
- Does my organization recognize the residual cyber risks and understand its risk appetite and tolerance?
- Has the organization quantified cyber risks, and does it understand the impact and likelihood of such events?
- What is my current Security Risk Posture, and how do I know the controls are working effectively?
- Have I considered the damage to the brand, reputation, and trust resulting from a cyber event?
- Does the organization have an effective BCP/DRP and when was it last tested?
- Is my organization ready to respond and recover?
- Is my organization able to prove due diligence and due care following a cyber incident or could the shareholders/regulators consider my inaction negligent?
- Does my organization understand that 100% security does not exist?
In a digitally connected world, organizations are dependent on information and technology now more than ever before. This world exposes organizations to global threats, some even sponsored by nation states. Cybersecurity not only ensures that your organization continues to operate in these challenging circumstances, but good cybersecurity increases customer trust, brand, and reputation.
CEOs and boards should develop a healthy cybersecurity culture that encourages the entire organization to embed cybersecurity into people, processes, and technology. These are some essential fundamentals you’ve learned from this chapter by now. Finally, you have also learned that cybersecurity needs to be considered complementary to business functions instead of competing with business functions, and a business enabler.
The following chapters will show what roles other CxOs play in cybersecurity, starting with the CFO.