IT professionals often complain of the difficulty of convincing the purse string holders of the importance of different initiatives. They are usually faced with a sceptical chief finance officer asking them to demonstrate how their latest spending request can contribute to the bottom line. Productivity investments, yes; preventative medicine, no.
But that attitude may be changing if the results of the latest KPMG CEO Outlook 2019 are anything to go by. Some 1,300 chief executives from around the world took part in the research for the report, which revealed that cyber is seen as the number one risk to organisational growth by Irish chief executives. The survey also found that 62 per cent of Irish chief executives believe a strong cyber strategy is critical to build trust with key stakeholders, up from just 22 percent in 2018.
But that is no cause for complacency, according to KPMG head of cybersecurity in Ireland Dani Michaux. “Every board is hearing about it, but my biggest concern is the type of metrics being reported,” she says. “Cybersecurity should be considered as part of broader business discussions – it’s not just a compliance metric. What did you do after a breach? Did you change anything? Did you make any decisions? Did you change procurement policies? These are matters for the board.”
She believes there is a need for more actionable information to be provided to boards in order for the right discussions to take place. “Every board member should be able to answer questions about cyber risk,” she adds.
We are so dependent on phones, PCs, laptops, and so on that it's not an IT problem anymore. Cybersecurity has to be on every agenda
Ulster University professor of cybersecurity Kevin Curran believes the topic is being taken more seriously in the boardroom. “It is improving,” he says. “This is reflected in increased spending on cybersecurity. It used to be difficult for IT departments to get approval for spending; how can you prove a negative? GDPR has helped move it up the agenda and boards know they have to take responsibility for it and can’t pass the buck anymore.”
He believes there should be regular cybersecurity updates at board meetings. “The digital world moves so quickly. A lot of people on boards and in C-suites are from different backgrounds and don’t fully understand the topic. There should be security briefings at every board meeting with updates on the threat landscape.”
Cost to reputation
Three Ireland’s head of regulatory affairs Niamh Hodnett also sees a change. “It is being taken seriously as there is a cost to reputation if it isn’t. Cyber should be on company risk registers. If it’s not already on the board agenda, it should be. All companies would also do well to have a cyber resilience strategy. We are so dependent on phones, PCs, laptops, and so on that it’s not an IT problem anymore. Cybersecurity has to be on every agenda.”
Head of the Risk & Advisory Services department At BDO Ireland Brían Gartlan agrees. "Cybersecurity is quite topical at the moment and awareness has improved, with businesses now sharing the responsibility across departments where previously it was seen as an area of responsibility just for IT departments," he says. "It should be added as an agenda item so that the board are aware of the steps an organisation is taking to prevent such an attack from happening."
There's no point having expert cybersecurity professionals, when others may be doing risky things that could compromise the organisation
Increased knowledge is the key to pushing it further up the agenda, he believes. “A key success factor is to educate key stakeholders, which will help to drive awareness. Having challengers involved in simulation training further drives the agenda.”
Curran points to a practical example of the benefit of having greater understanding at the top. This relates to so-called bug bounties, which involve organisations paying benign hackers to penetrate their networks in order to discover weaknesses. This is very valuable, but costs money. “The IT department needs to be able to convince boards that they should be allowed to pay for services like that.”
Building cyber awareness into the culture of an organisation is also important. “You need a culture where cybersecurity is everyone’s challenge, and this is particularly true in large organisations,” adds Dani Michaux. “There’s no point having expert cybersecurity professionals, when others may be doing risky things that could compromise the organisation.”