Cybersecurity: The changing role of the board
In an era of digital revolution, cybercrime has quickly evolved into today's fastest-growing form of criminal activity.
This will cost firms $5.2 trillion globally in the next five years, meaning cyber security has become an obvious necessity, according to Accenture.
Yet, too often it is neglected by business leaders, more so in Bangladesh.
Here, the role of the board, as a body of senior executives and other key stakeholders, is becoming increasingly important.
The board must establish a "culture of cyber security" across the organisation to impede efforts of the company's adversaries and guarantee that the business will grow quickly in the future.
A robust cyber resilience strategy must be developed with input from all stakeholders in mind: executives who will implement it, IT professionals who know how technology works, legal teams that understand intellectual property issues, and marketing departments whose brands may be impacted by data breaches.
In Bangladesh, we can take cues from the rules on "Cyber Security Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies" proposed by the US Securities and Exchange Commission on March 9, 2022.
The new regulations address questions like: Does the board consist of a cyber expert? What are their qualifications? How does the board monitor cyber risks? Does the business consider cyber risks when developing strategies, planning its finances and allocating capital?
The following are a few ways to create a strong ecosystem to enable cyber security decisions at the board level:
First, implement a cyber security framework and hold the management responsible for putting it into action and keeping track of it.
Holistic enterprise-level security is also needed, and the range of tools to prevent and detect attacks must be supplanted with policies and procedures to ensure that all employees understand their role in maintaining security.
It is also important for organisations to consider the security of third parties as industrial systems are becoming more digital as part of Industry 4.0.
Also, allocating adequate cyber security resources must continue to be a high priority.
Cybersecurity should no longer be seen as a luxury but rather an essential investment, especially for financial institutions.
A robust reporting mechanism must also be in place to assess the effectiveness of cyber security tools.
It is not a decision that can be made "once and done"; rather, it should be discussed regularly. The latest threat detection technologies, activities and authentication work with a lot of data and can be expensive for an on-premises setup, so the current shift towards cloud services is crucial.
Gartner predicts that demand for cloud-delivered security services will outpace demand for the entire security market. Alongside cyber protection, the boards must give emphasis to cyber resilience. Resiliency is more than just protection; it includes a strategy for recovery and ongoing operations.
Being resilient involves doing everything you can to prevent and identify a cyber incident as well as ensuring your ability to continue operating when an issue does occur. A board that invests only in protection is not managing the risk associated with getting up and running again in the event of a cyber incident.
The board may find it intimidating to manage cyber security. But a well-considered oversight strategy, thorough reporting, and a solid working relationship with the chief information security officer can help the board and management work together more effectively on this.
Make no mistake, cyber security is the responsibility of the entire board.
The writer is the managing director of eGeneration, general partner of Pegasus Tech Ventures and former president of BASIS.
Comments