Managing Director & Senior Partner
Cyberattacks, cyberbreaches, cybercrime. These are not new problems, and they are universally acknowledged to be costly, pervasive, and increasingly sophisticated. Each week new breaches become public, most recently an incident at a large internet service provider that had gone unnoticed for more than two years. The best defense against such intrusions is cyberresilience—building in both the capability to protect yourself and your business from cyberthreats and the ability to rebound from attacks, should they happen.
Cyberresilience is a major strategy issue, and the need for boards and senior executives to give it serious attention cannot be overstated. In many industries, cyberresilience can be a source of competitive advantage, a factor for valuation in M&A situations, and a key enabler of flexible, interconnected value chains. Because it helps determine the speed at which organizations can benefit from technology innovation, it impacts value creation. But what is required to build cyberresilience, and how can boards and executives accelerate the process?
Cyberresilience cannot be left exclusively to the technology domain. As illustrated in the exhibit above—reprinted from “Building a Cyberresilient Organization,” BCG article, January 2017—recent BCG research indicates that more than 70% of breaches exploit nontechnical vulnerabilities. For example, an attack may trick users into disclosing their legitimate credentials. The lesson here is that cyberresilience in an organization must extend beyond the technical IT domain to the domains of people, culture, and processes. A company’s protective strategies and practices should apply to everything the company does—to every process on every level and across departments, units, and borders—in order to foster an appropriately security-conscious culture. Ultimate responsibility for cyberresilience rests squarely on the shoulders of boards and senior executives. It is up to them to push this culture change through the layers of their company.
In the technology domain, a division of duties and reporting lines within the organization is necessary to separate the IT implementation role (which often falls to the CIO), the IT security role (which usually falls to the CISO), and the risk management role (which tends to be the CRO’s responsibility). In many cases, implementing this organizational change requires a board-level push.
Defending against cybercrime is a new challenge for many boards. Regularly including the topic of cyberresilience on the board’s agenda is especially important in such cases because the board’s level of awareness of the issue is relatively low. Boards must devote considerable effort and attention to the task of supervising the transition to a new, cyberresilient state.
Responsibility for Cyberresilience. The board as a whole takes ultimate responsibility for oversight of cyberrisk and cyberresilience. The board may delegate primary oversight activity to an existing committee (for example, a risk committee) or a new committee (a cyberresilience committee).
Command of the Subject. Board members receive a cyberresilience orientation upon joining the board and are regularly updated on recent threats and trends—with advice and assistance from independent external experts available as requested.
Accountable Officer. The board ensures that one corporate officer is accountable for reporting on the organization’s capability to manage cyberresilience and progress in implementing cyberresilience goals. The board ensures that this officer has regular board access, sufficient authority, command of the subject matter, experience, and resources to fulfill these duties.
Integration of Cyberresilience. The board ensures that management integrates cyberresilience and cyberrisk assessment into overall business strategy and into enterprise-wide risk management, as well as budgeting and resource allocation.
Risk Appetite. The board annually defines and quantifies business risk tolerance relative to cyberresilience and ensures that this is consistent with corporate strategy and risk appetite. The board is advised on both current and future risk exposure as well as regulatory requirements and industry/societal benchmarks for risk appetite.
Risk Assessment and Reporting. The board holds management accountable for reporting a quantified and understandable assessment of cyberrisks, threats, and events as a standing agenda item during board meetings. It validates these assessments with its own strategic risk assessment using the Board Cyber Risk Framework.
Cyberresilience Plans. The board ensures that management supports the officer accountable for cyberresilience by the creation, implementation, testing, and ongoing improvement of cyberresilience plans, which are appropriately harmonized across the business. It requires the officer in charge to monitor performance and to regularly report to the board.
Community. The board encourages management to collaborate with other stakeholders, as relevant and appropriate, in order to ensure systemic cyberresilience.
Review. The board ensures that a formal, independent cyberresilience review of the organization is carried out annually.
Effectiveness. The board periodically reviews its own performance in the implementation of these principles or seeks independent advice for continuous improvement.
Boards should focus on increasing their knowledge of the topic and their level of comfort in dealing with it. First and foremost, to challenge their executive teams on the subject of cyberresilience, they need to arm themselves with a set of principles or good practices for dealing with the issue. Multiple general recommendations exist on how to act. BCG recently had the opportunity to support the World Economic Forum by creating a set of guidelines, designed for board-level use, that address these challenges. The Forum and its cross-industry working group have identified ten principles and backed them up with pragmatic tools to enable boards to institute them. The principles emphasize taking responsibility, becoming informed on the subject of cyberthreats, anchoring responsibility in the organization, and implementing plans for cyberresilience. Boards also need to join their executive team in a discussion of risk appetite, in order to define the current risk posture of their organization.
In addition, boards need tools for understanding, assessing, and quantifying the risk patterns that their organization faces today and may face in the future. A good first step is to identify the organization’s most important informational assets and to determine the biggest risks to these assets. A second step is to determine how the executive team aims to manage these risks and how much its plan will cost the company. The Forum's publication includes recommendations, in the form of a Board Cyber Risk Framework, for analyzing and understanding cyberrisk at the board level.
Emerging technologies create great changes and great opportunities, but they also expose companies to grave new risks. Examples of disruptive technologies are big data, the Internet of Things, and autonomous vehicles. Boards need to understand how disruptive technologies change their cyberrisk exposure. The Forum’s publication provides insights directed toward board-level stakeholders regarding challenges such as vendor management, technology life cycle security, and the ability to quickly adapt to change.
Although cyberresilience and cyberrisk management are still young disciplines in many organizations, they are gaining speed. Boards are in a unique position to support and accelerate their development—be it to derisk their organizations’ value creation or to make the world a bit safer for business partners and consumers. It is imperative that boards possess the tools necessary to increase their own understanding, to ask the right questions, and overall to develop cyberresilience.
The report by the World Economic Forum, The Boston Consulting Group, and Hewlett Packard Enterprise is available for download.