Whilst the digital era provides substantial opportunities for corporate growth and expansion, it also brings unprecedented challenges in relation to company security, and particularly the security of customer, supplier and proprietary data. It has been suggested that victims of cybercrime lose around £245 billion each year worldwide, making it more profitable than the global trade in marijuana, cocaine and heroin combined. Little wonder then that the cyber threat landscape is rapidly evolving, with increasing numbers of nation-state threat actors who are well-funded, highly motivated and extremely sophisticated.
In 2013, the European Cybercrime Centre (EC3) based in The Hague reported substantial increases across member states in intrusions, malware, phishing, grooming, denial-of-service attacks, espionage and botnet activity. It also reported a boom in criminal infrastructure on the darknet, growth in malware affecting mobile devices, and wider distribution of malware from cloud services.
All the more reason for boards to step up their prevention policies and ensure their security architecture and cyberdefence tactics effectively address clearly identified corporate risks.
Yet interestingly, despite the increase in cyber threats, the trend for having IT directors or CIOs as non-executive directors (NEDs) on corporate boards has been slow in developing. There remains a belief that NEDs (in general) don’t need to have a deep understanding of cyberspace: the focus instead is on their ensuring adequate risk management procedures are in place.
The fact is there is a real opportunity for hand picking NEDs who possess significant IT experience, particularly where directors are not comfortable with the company’s cybersecurity measures. With cybercrime increasing at breathtaking speed, however, it can be argued that companies would benefit from having a senior IT director or Chief Information Officer in a non-executive position. These people live and breathe technology and can provide a fresh perspective for the chairman, the CEO and the CFO.
They are also in a good position to potentially provide an independent view on the company’s own definition of the risk level and character of likely cyber threats. This would enable the board to ensure that the senior executive team has identified the assets most at risk and developed a framework that prioritises and focuses on the most serious threats and their potential impact on the organisation.
However, since IT risk and information security have now become business issues and not simply technical ones, CIOs would be more effective as NEDs in building skills in areas such as high-level governance, operations and corporate strategy. Responding to any breach, but particularly a major one, is a business process that involves not just IT, but legal, public and investor relations, HR, law enforcement and others. The additional business skills would enable NEDs from an IT background to bring a strategic view of technology’s role in these, and other, corporate areas.
Given the potential scale of the threat, it is surprising how many board directors are ill-informed and ill-prepared for the worst case scenarios that could paralyse their companies.
The fact that businesses are becoming more and more tech-dependent and interconnected only adds to an increased cybercrime risk.
A sound level of technology experience must now be part and parcel of the skill set any board should have and NEDs really ought to be part of solution they require.