Cyber security was never a purely technical problem; it is not a leadership imperative in many firms
For the past 20 years, cyber security – information security in its early days – has been seen primarily as a technical matter, to be solved nu technologists using technology means.
In most organisations, it has never been “owned” as such at Board level in spite of the tidal wave of cyber attacks which have rocked most industries across the last decade, and the false pretence by many that it’s on their agenda…
In reality, it appears periodically at Board’s meetings, sometimes as a matter of good governance pushed by independent directors or auditors, sometimes after an incident or a worrying near-miss.
But generally, it remains an operational matter, and somebody else’s problem; something the Board is concerned about and is supportive of, but something the Board is not prepared to consider on its own as Board-level material as such.
At best, it has been seen historically as part of the enterprise risk management practice; nowadays, with the “when-not-if” paradigm around cyber-attacks taking roots, it tends to be seen as part of a broader VUCA agenda, and that is not a bad thing, as indeed the accumulation of cyber attacks we have been seeing in recent years do form part of those patterns, in particular those which can be related to state-backed actors.
Concerns about competence
But quite often, there are also concerns about competence around those matters across the boardroom table: Is the Board sufficiently digitally-savvy to fully appreciate what is at stake and the right actions to take?
Those concerns need to be qualified when it comes cyber security. First, because specific competencies can be brought in if required; that’s just good governance and something the Board can manage. Second, because cyber security was never a purely technical problem, and that’s the message that has failed to make it up to the Board over the past decades.
Fundamentally, the time is coming for senior executives to realise that the predominantly technical approach to cyber security which has been prevailing over the past two decades – on its own – is failing to protect large organisations from cyber-attacks.
Not just because cyber threats keep morphing, but because large organisations have become too complex – functionally, geographically and politically – to effectively deploy protective technical measures across their depth and breadth, and across their supply chain, in spite of the billions spent collectively with tech vendors and large consultancies.
More than ever, it is now dangerous to continue seeing cyber security only in its technical dimension; it downgrades the problem and prevents real long-term solutions from emerging; amongst other reasons, because it alienates real talent.
Only defence-in-depth can protect large organisations from cyber threats, effectively layering controls at people, process and technology levels in a structured way, supported by accountabilities and responsibilities spanning the entire enterprise and all its silos (IT, HR, business units, geographies, senior management etc…).
Putting in place a protective architecture of that type becomes a matter of governance and often requires an amount of culture change around the concepts of control and business protection.
It is not primarily about buying more tech, but about the embedding of cyber security – i.e., the protection of the business from cyber threats – within a broader controls framework and within the culture of the organisation.
Only top-down dynamics can make this happen and it is a genuine board-level competency to have the leadership, the gravitas and the political acumen required to drive it.
Delegating it down to technologists has failed and will continue to fail, because most technologists are trained and incentivised to deliver on functionality and efficiency, not on culture change or control mindset.
The Board has no reason to feel embarrassed in taking ownership of what has become – fundamentally – a leadership matter in most firms, in particular where cyber maturity is low and urgent transformation is required.
It is the only way to make it happen.