Risk is the common language that will close the knowledge and credibility chasm that frequently separates chief information security officers (CISOs) from their boards.
Even in large organisations, the CISO is rarely awarded the authority granted automatically to the chief financial officer (CFO) and some other c-suite executives. But this is already starting to change as new laws on both sides of the Atlantic are making not only CISOs but also chief executive officers (CEOs) responsible by law for significant but essentially preventable cyber-breaches.
The US Securities and Exchange Commission (SEC) last year is known to have notified the CFO and the CISO of SolarWinds about potential enforcement actions related to the 2020 cyberattack against the company’s Orion software platform, which the company had disclosed in a regulatory filing with the agency. This was further compounded when in October, the SEC finally charged SolarWinds and its CISO Timothy Brown with fraud and internal control failures for allegedly misleading investors about its cybersecurity practices leading up to the Sunburst attack discovered in December 2020.
The former CISO of online multinational transportation and delivery giant, Uber, also recently received three years of probation, 200 hours of community service and a $50,000 fine for failing to alert US regulators to a 2016 cybersecurity breach. Sullivan says that the main mistake made was in not bringing in third-party investigators to review how his team handled the breach.
On the other side of the Atlantic, the Digital Operational Resilience Act (DORA) is due to come into force in January 2025. DORA is a European Union (EU) regulation that creates a binding, comprehensive information and communication technology (ICT) risk management framework for the financial sector. Although DORA is an EU regulation, it impacts UK and US organisations that offer financial services within the EU or provide third-party services to EU financial services companies. EU regulations have also historically influenced similar laws in the UK and US, so the requirements laid out in DORA may also affect regulatory guidance across the globe.
However, although some progress is now being made at board level in larger organisations, it is medium-sized enterprises which generally fail to grasp the level of cyber-risk they currently face. Many still ask ‘who would want to hack a relatively small organisation?’ and do not fully grasp their position in the supply chain leading to major corporate targets.
Ove Arup scammed US$25 million by deepfake video conference
Nor do small-to-medium sized companies (SMEs) grasp the sophistication of today’s highly organised criminal gangs or the lengths they will go to in order to defraud their victims. In a recently reported incident, for example, an employee at the Hong Kong office of British engineering firm Ove Arup was scammed into making a US$25 million fraudulent payment as result of a fake video conference, using real-time fake video and audio deepfakes of his CFO and other trusted colleagues.
The widespread lack of knowledge concerning cybercrime among c-suite level board members was, until very recently, further re-enforced by the false sense of security that cyber-insurance can provide. But this is now changing for the better, as insurance companies increasingly demand that their clients install certain cybersecurity measures before qualifying for a policy. Some insurance companies also make it clear that they will refuse to pay out in the event of a serious breach unless the stipulated cybersecurity measures are adhered to.
However, making board members aware of the risks their companies face is only half the battle. Convincing them that they need to allocate a significant proportion of their budget towards cybersecurity can be a major hurdle. The reason is that, when quantifying risk, IT staff and c-suite executives actually speak two separate languages.
CFOs are trained to measure the investment of financial resources against the return on that investment (ROI). This can be extremely hard for IT staff to quantify at all – let alone with the degree of precision needed to convince most CFOs. And while all organisations face a high risk from cybercrime, the nature of that risk will differ from business to business. For instance, the biggest downside to a successful cyber-attack for a manufacturing company would be to have to cease production, whereas a bank would be concerned less with temporarily ceasing trading and more with protecting its customers’ data and financial assets.
Quantitative risk assessment is effectively the best communication platform when discussing cybersecurity at board level. First, the value of the organisation’s data and assets has to be realistically assessed, also taking account of downtime, lost client goodwill etc. Once the value of the firm’s data and assets have been firmly established in the minds of the board, then it is more straightforward to put a figure on the value of protecting those digital assets and preventing loss of operation and fines in terms of ROI.
The board can also be shown hard figures evidencing how their money is being spent to protect their most crucial assets. For example, by monitoring infrastructure networks24/7, and having remedial procedures ready to deploy, downtime can be reduced from three months to three minutes.
Businesses who cannot afford in-house cybersecurity experts or who want to avoid the CAPEX and ongoing maintenance costs associated with 24/7 security monitoring should consider partnering with experts through a Security Operations Centre (SOC) service. A SOC service provides 24/7 surveillance of the business environment, identifying and neutralising threats before they can escalate. By outsourcing this critical function to professional and experienced cyber experts, boards can be assured that their companies are properly protected and that they personally are indemnified against charges of cyber-negligence.
