Cybersecurity is not a new reality but the next emerging priority for India Inc. Whether it is the most recent attack on the Microsoft Exchange Server that has taken the world by surprise or similar attacks that have rendered not just enterprise networks but also government assets vulnerable, the threat isn’t hiding in the dark – it is apparent and present. At the enterprise level, a cybersecurity breach can impact not just a set of IT operations but also the crucial business operations.
While it is the network security team that is responsible for preventing such a breach, increasingly, the company’s board is being examined in such cases more often than before. So, how can the board be ready if such an unforeseen event unfolds and how the direction to take corrective measures can come right from the top?
In our latest report we delve into the changing role of the board on cybersecurity to outline the following recommendations:
Have at least one cybersecurity expert on the board
The composition of a company’s board has evolved over the years. Apart from strategy, important functions such as finance have made their representation in form of a seat on the Board in recent times. Cybersecurity, just like finance, is a critical function that needs to be prioritised on the Board of enterprises that deal with critical data – banking, insurance, defence, consulting and technology.
Having such an expert on the board not only gives confidence to the clients but also helps in educating other board members about the importance of cybersecurity.
Higher focus on diverse cybersecurity talent
Unlike most of the functions, cybersecurity has seen an improvement of diversity in the workplace. According to a report by The International Information System Security Certification Consortium (ISC2), women form 24% of the cybersecurity workforce in North America, Latin America and Asia-Pacific. While women are more qualified and are younger in such roles, they still earn lesser than men in similar roles, but are lesser qualified based on their education.
A more concerted focus on diversity hiring of talent in cybersecurity is something that the board must be aware of and should sponsor. It makes for a good corporate strategy case and for the company’s diversity initiatives.
Take a holistic approach to cybersecurity
The Board must take a holistic approach not just for enterprise security but also for adoption of frameworks that ensure that the enterprise and the crown jewels are secure and taken care of. An attacker might be looking to just breach the defenses but what if they stumble upon sensitive information as a part of the breach? Handing a goldmine of data to someone on a platter is what shouldn’t happen, but we’ve been witness to incidents that have actually ended up doing the same. This holistic approach would mean that cybersecurity is not the responsibility of a particular team but of every individual in the organization. Social engineering and phishing attacks are perpetuated not on the infrastructure directly, but through gullible individuals.
Make cybersecurity a priority with the advent of new technologies
The Board must ask questions such as – How can machine learning help mitigate cyber-attacks? How can sophisticated phishing attacks be blocked from reaching the individuals? What role does behavioural psychology play in mitigating such attacks?
The questions could be endless, but the answers are limited, and they all point to not just being defensive, but going out with a heightened sense of sniffing out possible attacks even before they are perpetrated.
The dark web poses another challenge. While most of the data is sold, bought and attacks planned on the dark web, the number of enterprises engaging with or hiring cybersecurity researchers who crawl the dark web for such clues is miniscule. A show of hand on most Boards would show up unsatisfactory results in terms of the knowledge about dark web in the Board members.
The job of the Board is a difficult one. They are answerable to the investors, the employees, the auditors and the media, to name a few. While the people perceive it to be a cushy-do-nothing-job, the reality is much different. And cyber-attacks are going to make this job much more difficult, if it hasn’t already.
Cybersecurity is a strategy that needs to be on the Board, represented by a person, and not just by a presentation.
The author is Partner, Deloitte India