Cumulative Effect

Historically, cyber security was always a “poor relation” in the eyes of the majority of Boards and CEOs, considered inferior, less important, or not as well-regarded as other issues or compared to them and treated as an annoying cost centre requiring more and more money that could potentially have been spent “better” elsewhere. This is a result of inertia, a cumulative effect of multiple factors and, more importantly, a lack of understanding of how the landscape has changed in the last 25 or so years.

So, what can Board Members and CEOs do to improve the organisation’s cyber security posture? They can do a lot of things!

To start with, they need to recognise and acknowledge the inherent insecurities of the Internet, on which organisations’ business is built today. By doing this, they will start thinking in the right direction (e.g., “we live and operate in a high-crime area”). They may start focusing on the strength of the domain/subdomain and certificate management processes and ensure that they are bullet-proof.

Secondly, they can look at expanding the organisation’s KPI to include cyber security with carefully and correctly selected KPIs (like, for example, year-on-year decrease in the complexity of the organisation’s IT ecosystem). They can also consider their approach to the use of unmanaged by the organisation devices (like BYOD devices and home computers).

Thirdly, they can have an additional lens to look at the business cases by introducing “cyber security risk-reward” analysis (oh, isn’t this just another KPI?). This will help with the way they look at the digital revolution. It will also enable looking at the agile approach from a different angle, and, possibly, reconsider its use. It will also help with the containment of the SaaS sprawl and shadow IT.

Then, they can ensure that the organisation has a full understanding of the shared security responsibility concept and ensures its correct implementation and management.

Another area they can i