Cyber security: have we got the board’s attention now?
There is an old adage that, whilst good managers are people who do things right, good leaders are people who do the right things.
One might add that good boards are those which do the right things at the right time. Ignoring an issue which is plain to see – and therefore, critically, doing nothing about it – is a conspicuous abdication of a board’s responsibilities.
I have wondered for a while if this has been the case with corporate attitudes towards cybersecurity. Having heard defences ranging from the wishful to the complacent, and been routinely bombarded by technical jargon and nebulous statistics, it seems that some boards at least seem to accept that the cyber threat is real enough, but hope that catastrophe won’t strike on their watch.
Is this too cynical? Perhaps; but the sudden resignation of Gregg Steinhafel, CEO of US retailer Target, following the loss or compromise of the personal data of up to 70 million customers after the company’s systems were hacked, ought to concentrate more than a few minds. If directors realise that their reputations and livelihoods are at stake, not to mention their companies’ share price, might we expect to see rather greater concentration of effort in addressing this changing, hard to define but very real menace?
In terms of doing the right thing at the right time, this issue seems to me to be one of those challenges to which the most effective boards must rise. Although reliable statistics on fraud and economic crime are hard to validate – current estimates put the UK figure at between £50 billion and £70 billion – the cyber element of this has been consistently valued at over 50%. Yet much of this is unreported, covered up or discreetly downplayed thanks to insurance cover. Of course, there needs to be a sensible balance struck between proper risk assessment and affordable risk management. Investment in technological defences costs a lot of money and our defensive capability is, by common consent, developing less quickly than the threat itself. In such circumstances, having the right people and effective management procedures will prove as important as having a good firewall.
But if one considers the downsides of not doing the right thing at the right time – operational disruption, loss of business, corporate or brand damage, legal costs, collapse of investor confidence – not to mention directors’ own career prospects, perhaps this is an issue which really will now get the board’s attention.
This was posted in Bdaily's Members' News section by Robin Murray Brown .