Till the middle of the eighteenth century, scurvy had been killing half of the sailors who ventured into the sea in search of new lands and trade opportunities. The captain of the ship would generally assume that out of the hundred seamen on board, only fifty would return alive. The rest would fall prey to scurvy. This proved a limiting factor for the Royal Navy of England, to explore and conquer new lands. But only until the year 1753, when a Scottish surgeon in the Royal Navy, James Lind discovered that citrus fruit was the remedy for the mysterious disease. One discovery led England to conquer lands and empires in all continents of the world. This discovery saved lives of millions of sailors in the sea and the sun in the British Empire never set until 1947.
But while James Lind discovered the treatment in 1753, it took 42 years for the Royal Navy to be persuaded to adopt the treatment and include lemon juice as part of its sailors’ routine diet. That was quite a long time. In those days, having lost 42 years after the discovery, the Royal Navy could still set sail to conquer the foreign lands without facing a challenging rival.
Shunning flippant approach to cyber risk
But in today’s digitally connected world, organizations do not have the luxury of time as customers want them to deliver at the lightning-fast speed. They cannot waste days in brooding and waiting that long to adopt a robust approach or solution. A single unsavory incident is sufficient to make or break a business, particularly when it comes to addressing cyber risk. One breach can do irreparable financial and reputational harm. As per IBM and the Ponemon Institute’s annual “Cost of a Data Breach” report, a US company on an average loses $8.19 million to a data breach, which is more than twice the global average.  Just imagine how much on aggregation businesses might be losing every year to breaches and cyberattacks.
The modern scurvy, i.e. the flippant approach to addressing cyber risk at the highest level, might cost businesses dearly and needs to be addressed at the highest level too. Cybersecurity can no longer be parked in the IT or information security room, considering that the problem is more than a technological issue. It requires the involvement of senior management and that of the board of directors, since more than a technology issue in today’s hyper-connected world, this is a business risk.
As already stated, a data breach causes a company considerable financial loss. The regulatory bodies such as SEC and FERC have mandated it for organizations to report cyber incidents and breaches. There are ample provisions across regulations in which the onus for cybersecurity oversight is gradually shifting to the management and the board members for breaches. The growing awareness around privacy protection globally has led to the introduction of tighter data privacy regimes such as GDRP, CCPA 2018, UK Data Protection Act 2018, Philippines Data Protection Act 2012, among others. Organizations violating provisions of these regulations have to pay hefty fines and face stricter action. Hence, senior management and board members are required to oversee data protection and cybersecurity effectively. They need to know that data breaches will not merely cause financial and reputational harm but also invite regulatory action and lawsuits.
Making CISO part of the boardroom discussion
Senior management and boards must enhance their understanding of cybersecurity so that they can measure cyber risk posed to their business and initiate effective steps to address it. But as per PwC’s Annual Corporate Directors’ Survey 2019, only 33% admit that they have sufficient director expertise in cybersecurity. This finding indicates that a majority of boards still lack knowledge and understanding of cybersecurity to mitigate cyber risk. To fill this gap, it’s critical that boards or senior management make CISOs a regular part of boardroom discussions. Boards and business leaders must also actively endorse, and empower CISOs so that they can brief them about different cyber initiatives – taken and required – , given the threat perception and regulatory requirements.
At the same time, CISOs must learn to speak to business leaders and board members in business parlance as senior management love the language of metrics and KPIs, and find themselves in an uncomfortable spot when they have to decode tech jargons. Building a cybersecurity strategy using NIST Framework’s five functions (Identify, Protect, Detect, Respond, and Recover) can help CISOs provide complete visibility into the company’s cybersecurity readiness, resilience, risk appetite, compliance and initiatives in measurable metrics which management and board members can easily comprehend.
Injecting cybersecurity into organization’s DNA
Given how the world has changed in the last few months during the COVID-19 pandemic and how remote working has emerged as the new normal, boards and senior management need to assimilate cybersecurity into the organization’s culture. It will require investments in employee cyber training. Examples need to be set from the top so that everyone is sensitive about basic cyber hygiene including business processes, suspecting every unknown email, secure use of organizational devices, etc.
Furthermore, it is critical that any application or technology implementation has security built into it from the scratch. That said, organizations need to make ‘security by design’ mandatory for IT-related initiatives. Besides, organizations need to invest in tools and solutions such as Remote Browser Isolation that are built using the principle of Zero Trust Security and are capable of keeping malicious malware and actors out of the company network.
 PwC’s Annual Corporate Directors’ Survey 2019, Link: https://www.pwc.com/us/en/services/governance-insights-center/assets/pwc-2019-annual-corporate-directors-survey-full-report-v2.pdf.pdf
 NIST Cybersecurity Framework, Link: https://www.nist.gov/cyberframework/online-learning/five-functions