Friday, 13 November 2015

Why Cybersecurity is not a tech-imperative, but a business imperative

Lens Password by Salvatore Vuono from FreeDigitalPhoto-net.jpg
Cybersecurity is the watchword of the day.  Hardly a day goes by without mention of the hacking of a large organisation, be it a large tech company, the emails of a high-ranking security official, or a government database.  There are those who call for tighter restrictions on what data organisations hold about individuals, in the vain hope that this will help mitigate the risk of the data being hacked.  
What it should do, however, is highlight the gaping hole in the agendas of the executive boards of those multinationals, where the people responsible, ultimately, for corporate governance and recruiting the C-level executives, are unable to ask the right questions of the management and, therefore, unable to determine if the companies are being sufficiently vigilant against the threat of hacking.

An organisation’s IT strategy, which would (should) include cybersecurity, needs to be driven by the business, the organization’s board, rather than from the IT department itself, which would be a case of the tail wagging the dog. The problem is that with so few board members understanding technology, they don’t know what questions to ask – and probably feel that they should be enquiring in to the specification of the firewall, the level of data encryption or the quality of the antivirus package.

Advice_Image Stuart Miles  FreeDigitalPhotos
These questions, however, are precisely the ones for the IT department to consider. But the board needs to think about compliance, their fiduciary duty and their responsibility to increase shareholder value. When these three elements might be compromised by the implementation of the organisation’s technology, the board needs to pay attention.

And so hacking is for the business to think about, at the highest level, as it goes to the heart of one of the biggest risks modern companies now face.  Hacking will happen.

Data is needed to provide products and services for customers and to create competitive advantage.  The solution is not to reduce the amount of data held, but to ensure it is properly protected.  The boards need to know what questions to ask and whom to ask them of. They need to ask what value the data has on the open (or black) market? What are the potential losses to the organisation if the data is stolen? And how can the organization create a culture where everyone is focused on these questions and is able to raise an early-warning when vulnerabilities are found?