Why cybersecurity is now a boardroom issue

Cybersecurity is posing an increased risk to organisations each year, but despite the growing nature of the threat, the issue is still underrepresented on the boardroom agenda.

As Mike Newman, CEO My1Login  explains that instead, cybersecurity is overlooked over other IT initiatives that are easier to digest at the board level, leaving many organisations carrying a significant risk. Directly involving CISOs in C-suite discussion is essential to understanding how cybersecurity permeates every area of a business.

Managing cybersecurity risks

The business case for cybersecurity is fundamentally to reduce risk and avoid future costs. Investment in cybersecurity technology can improve productivity, deliver direct IT cost reduction, and drive business growth, but the most impactful benefit is mitigating the potentially hugely damaging reputational and financial cost of a data breach.

Without a seat at the board room table, it can be difficult for the likelihood and impact of the risks posed by inadequate security measures to be audible above the noise. A successful cyberattack may not be an everyday occurrence, but unlike the more common strategic and operational risks which are more frequently discussed at the boardroom level, the impact of a cyberattack can be swift and catastrophic.

Cyberattacks are increasing rapidly in both frequency and scale, with the average cost of a data breach in 2021 now reaching over £3m. Ransomware in particular is growing at an alarming rate, with the number increasing by 150% in 2020, and the average payment rising by 171%.

If a business falls victim to a ransomware attack, the decision of whether to pay falls within the remit of the board, rather than the IT department. The increasing scale of the potential costs can also heavily impact consumer and investor confidence, making cybersecurity a key component of board members’ fiduciary responsibility. A study of 65 companies affected by hacks since 2013 showed that a successful cyber-attack can wipe as much as 15% from a company valuation, with the average cost to shareholders in a FTSE 100 firm coming in at over 42 billion pounds.

The threats cyberattacks pose to enterprises don’t end with the direct financial impact of the breach. While no business is completely immune to attacks, those that fail to take cybersecurity seriously are likely to find themselves facing additional punitive compliance fines. One of the most notable cases occurred in June 2018, when British Airways suffered a significant data breach. The ICO later found that BA had failed to take adequate security measures to protect customer data, resulting in the airline being hit with a 20 million pound fine in 2020.

The problems with cybersecurity reporting structures

While cybersecurity has become important enough to involve direct C-suite participation in the decision-making process, the technical knowledge required can be a factor in delegating the task to IT or security departments to deal with alone. While board members may be able to identify macro-level risks, they may lack the necessary input to properly understand the risk above other priorities.

CIOs can find it difficult to get buy-in for cyber security initiatives from board members. According to Thomson Reuters, cybersecurity was the least requested information in board meetings, despite it forming a crucial area of risk management, an area of key concern for C-suite discussion.

While the risks are often difficult to quantify for the CIO alone, cybersecurity measures are often unappreciated compared to other initiatives which are more overt in directly underpinning revenue. Where the security function, e.g., the CISO, can only report to the board via the CIO, these issues become harder to convey – yet with the role of the CISO greatly expanding, as well as the scale of cybersecurity threats, this reporting structure is becoming increasingly ineffective.

A further issue with this structure is that CISOs will frequently find themselves competing for a portion of the budget within the IT department against other colleagues who are not responsible for security issues. The conflict between CIO IT initiatives that directly drive revenue growth versus cybersecurity investment which protects against loss can result in a situation where cybersecurity and other investments have an antagonistic relationship instead of a complementary one.

Why boardrooms need CISO input

To combat these issues, many organisations are seeing the benefit of the CISO reporting directly at board level. By having direct input from those at the forefront of dealing with the organisation’s security challenges, the board, who are most responsible for quantifying and managing the risks of the business, will be privy to the CISO directly pitching the costs of neglecting cybersecurity issues.

Since those risks are often poorly understood, the board having access to direct technical expertise is hugely beneficial to understanding the gravity of the threat posed by inaction – as well as the CISO being able to challenge priorities that may unwittingly compromise the businesses’ cybersecurity measures.

A recent McKinsey study showed that the biggest driver of maturity in managing cybersecurity risk was not the size or sector of the organisation, or even the resources made available. Instead, the most important factor was senior management time and attention. By ensuring that the CISO has direct access to the C-suite, an understanding of this risk can filter down to other senior figures in the business.

Legacy reporting structures, where the security function didn’t directly report to the board, was less of an issue when cybersecurity was purely an IT concern. Today, with the scale of the threat exponentially greater, every area of a business needs to understand the risks and foster a culture of security, which cannot be achieved if CISOs are isolated from the boardroom. Now is the time for organisations to recognise the importance of cybersecurity visibility at the highest level and embrace the need for every CISO to have at least a periodic voice in the boardroom.