Report from Davos: Board Oversight of Cyberresilience

By Walter Bohmayr and Alexander Türk

Cyberattacks, cyberbreaches, cybercrime. These are not new problems, and they are universally acknowledged to be costly, pervasive, and increasingly sophisticated. Each week new breaches become public, most recently an incident at a large internet service provider that had gone unnoticed for more than two years. The best defense against such intrusions is cyberresilience—building in both the capability to protect yourself and your business from cyberthreats and the ability to rebound from attacks, should they happen.

Cyberresilience is a major strategy issue, and the need for boards and senior executives to give it serious attention cannot be overstated. In many industries, cyberresilience can be a source of competitive advantage, a factor for valuation in M&A situations, and a key enabler of flexible, interconnected value chains. Because it helps determine the speed at which organizations can benefit from technology innovation, it impacts value creation. But what is required to build cyberresilience, and how can boards and executives accelerate the process?

Cyberresilience cannot be left exclusively to the technology domain. As illustrated in the exhibit above—reprinted from “Building a Cyberresilient Organization,” BCG article, January 2017—recent BCG research indicates that more than 70% of breaches exploit nontechnical vulnerabilities. For example, an attack may trick users into disclosing their legitimate credentials. The lesson here is that cyberresilience in an organization must extend beyond the technical IT domain to the domains of people, culture, and processes. A company’s protective strategies and practices should apply to everything the company does—to every process on every level and across departments, units, and borders—in order to foster an appropriately security-conscious culture. Ultimate responsibility for cyberresilience rests squarely on the shoulders of boards and senior executives. It is up to them to push this culture change through the layers of their company.

In the technology domain, a division of duties and reporting lines within the organization is necessary to separate the IT implementation role (which often falls to the CIO), the IT security role (which usually falls to the CISO), and the risk management role (which tends to be the CRO’s responsibility). In many cases, implementing this organizational change requires a board-level push.

Defending against cybercrime is a new challenge for many boards. Regularly including the topic of cyberresilience on the board’s agenda is especially important in such cases because the board’s level of awareness of the issue is relatively low. Boards must devote considerable effort and attention to the task of supervising the transition to a new, cyberresilient state.

TEN BOARD PRINCIPLES

Boards should focus on increasing their knowledge of the topic and their level of comfort in dealing with it. First and foremost, to challenge their executive teams on the subject of cyberresilience, they need to arm themselves with a set of principles or good practices for dealing with the issue. Multiple general recommendations exist on how to act. BCG recently had the opportunity to support the World Economic Forum by creating a set of guidelines, designed for board-level use, that address these challenges. The Forum and its cross-industry working group have identified ten principles and backed them up with pragmatic tools to enable boards to institute them. The principles emphasize taking responsibility, becoming informed on the subject of cyberthreats, anchoring responsibility in the organization, and implementing plans for cyberresilience. Boards also need to join their executive team in a discussion of risk appetite, in order to define the current risk posture of their organization.

In addition, boards need tools for understanding, assessing, and quantifying the risk patterns that their organization faces today and may face in the future. A good first step is to identify the organization’s most important informational assets and to determine the biggest risks to these assets. A second step is to determine how the executive team aims to manage these risks and how much its plan will cost the company. The Forum's publication includes recommendations, in the form of a Board Cyber Risk Framework, for analyzing and understanding cyberrisk at the board level.

Emerging technologies create great changes and great opportunities, but they also expose companies to grave new risks. Examples of disruptive technologies are big data, the Internet of Things, and autonomous vehicles. Boards need to understand how disruptive technologies change their cyberrisk exposure. The Forum’s publication provides insights directed toward board-level stakeholders regarding challenges such as vendor management, technology life cycle security, and the ability to quickly adapt to change.

Although cyberresilience and cyberrisk management are still young disciplines in many organizations, they are gaining speed. Boards are in a unique position to support and accelerate their development—be it to derisk their organizations’ value creation or to make the world a bit safer for business partners and consumers. It is imperative that boards possess the tools necessary to increase their own understanding, to ask the right questions, and overall to develop cyberresilience.

The report by the World Economic Forum, The Boston Consulting Group, and Hewlett Packard Enterprise is available for download.