CLICK HERE to view the report in PDF or scroll down

Author Vicky Griffiths at Leathwaite.

With the scale, scope, and complexity of cyber-attacks growing by the week, cyber security is a primary issue for CEOs and Boards and one which is rarely far from the top of the risk register.

*PwC Information Security Breaches Survey Technical Report - click on the link for details

Indeed, Chairmen are increasingly keen to learn more about cyber risk and the controls which are in place to protect their organisation.

Advice is not hard to find, and there are a multitude of information sources and standards; the in-house CIO and/or CISO will have a view, and of course there are a myriad of vendors, each with a solution that promises to be the answer to all security problems.

With the aim of demystifying this subject for Chairmen, Leathwaite invited expert guest speaker from Microsoft, Robert Hayes, to present to the group and take part in a roundtable discussion.

Vicky Griffiths from Leathwaite asked Robert to help equip the Chairmen with the right questions to ask of their business around cyber risk and security, as well as the ability to spot a red flag in the answers they receive from the business.

The first message given to the Chairmen around the table was this: if your CIO/CISO comes into the Board with either of the below messages, then this is the first red flag:

“Everything is fine, we have everything covered, we are not at risk of a cyber-attack.”

“It’s a major concern and risk, we need to spend £X million on protecting ourselves and reducing the risk to a level within our risk appetite (where X is an unaffordable number).”

Virtually all organisations fall somewhere in between these two statements. The challenge for any Chairman and Board is working out where within this spectrum their organisation falls and whether any additional action and mitigation is required.

Robert explained that trust is at the heart of a successful security strategy, yet knowing who and what can be trusted, and whether that trust should be absolute or conditional, is extremely difficult.

In his conversations with CEOs, he often asks them their degree of trust in five key security related areas:

  • The people who work in their organisation
  • The organisations in their supply chain
  • The integrity, resilience and security of their existing infrastructure
  • The integrity, resilience and security of cloud based infrastructures
  • The advice they receive, both internal and external

Unsurprisingly, the answer to each question is always a varying degree of conditional trust, but not absolute trust.

“Where the conversation becomes interesting” Robert says, “is where the CEO and I then jointly explore whether the infrastructure, processes and policies of their organisation reflect their intent to avoid absolute trust in these five key areas. Invariably, the answer is no.”

Robert provides recurring examples of this inconsistency, each carrying significant organisational risk, as follows:

  • IT administrators having unfettered and unaudited access to all corporate systems without effective security mitigations such as multi-factor authentication, and privileged access workstations in place;
  • HR departments not instructing the IT department to cancel user access privileges for days, often weeks, after an employee is terminated or leaves the company;
  • Supply chain contracts drawn up with no security provisions, standards, or audit clauses;
  • No due diligence or impartial advice at Board level on the assurances and assertions made by both in-house IT teams and vendors on integrity, resilience and security.

From a cyber security perspective, a key message for Chairmen is that an organisation is only as strong and secure as its weakest link. So it is important for Chairmen and Boards to challenge their Executive teams to understand where the weak links are, why they are weak and how they can be strengthened.

They must look at their whole IT environment – supply chain, customers, employees, infrastructure, platforms, devices, applications, service providers, consultants, cloud, and so on.

It is not sufficient for an organisation to just focus on one aspect of its IT environment, because all that matters to attackers is the weakest link.

Once a Board has effectively understood its IT environment, the next question surrounds the development and implementation of an effective cybersecurity strategy.

In his advice to Chairmen, Robert describes three key elements to any such strategy:

  • Protect: across all access points
  • Detect: using targeted signals, behavioural monitoring and machine learning
  • Respond: Close the gap between discovery and action

Robert shares a couple of sobering statistics to illustrate the importance of detection and response as well as the protection element of any strategy:

  • 200+ days: the median number of days attackers are present on a victim’s network before detection
  • 80 days: the median number of days between detection and full recovery

“Those numbers are scary” Robert says, “It takes an enterprise more than 200 days to detect a security breach and, once you finally found them, it often takes a very long time to completely recover from that breach, often months.

Attackers can wreak havoc on a corporate network, stealing data, breaching privacy, and destroying the trust of customers. These attacks are incredibly expensive, and often come with a much broader and serious impact to a company’s reputation.”

His advice is for Boards and Executives to ‘assume breach’.

This must be the mindset of those in charge of cyber security; they must be suspicious – why is an employee accessing the system in the middle of the night, why does a third party need access to a system, why is just one employee in charge of all IT access rights, how often do passwords require changing? And so on.

Finishing on a positive note, Robert reassured the Chairmen “A huge percentage of attacks are preventable with basic and inexpensive improvements to cyber-security strategy and procedures.”

When determining the changes required, it is important to look at the complete IT environment, and to consider how best to protect, detect and respond to threats, issues and attacks.

For Chairmen and Boards, if a Board reporting pack includes details of cyber breaches, near misses, and threats, this should in fact provide comfort to the Board rather than just create concern.

Of course, no organisation wants to experience issues and breaches, but far better for an organisation to detect quickly and to respond in a timely manner, than to be ignorant and unprepared.

Further Information:

Robert Hayes
After a highly successful career within the Police, Robert went on to develop and launch the UK National Hi-Tech Crime Training Centre, before working for British Intelligence. Robert is now an acknowledged expert in cybersecurity, crisis management, and strategic risk assessment, and is currently an EMEA Executive Cybersecurity Advisor at Microsoft.

LinkedIn: Robert Hayes

Vicky Griffiths
Vicky leads Leathwaite’s new Board Practice, working on non-executive searches across a broad range of sectors. She is also one of Leathwaite’s Governance experts, with a background in Risk Management.

Telephone: +44 207 151 5105
LinkedIn: Vicky Griffiths

LEATHWAITE BOARD PRACTICE: click here for more information