Why should the Board be Concerned with Cybersecurity?
By David SajotoThe rapid transition from on-premises to remote workforces in the wake of the COVID-19 crisis will be looked back upon as a world-historical event. For enterprise IT, it was an earthquake that fundamentally changed the landscape on which we stand.
When the pandemic hit, remote working was a trend that was already on the rise. However, even the most forward-thinking companies did not offer remote working for more than a generous handful of their employees.
IT infrastructure was historically built for the castles and moats of yesteryear in which the majority of those using the corporate network would physically be in the office. The future is hard to predict but we can say with a high level of certainty that the moat has dried up and most will not be going back to the castle.
The pandemic not only affected hiring trends in Singapore but also changed the nature of available jobs. About 35% of job vacancies in Singapore last year involved work that could be done remotely, largely for professional, managerial, executive and technician (PMET) roles, according to the Ministry of Manpower (MOM).
Enterprise IT has changed dramatically in the last year, but that does not mean that the conversation has changed the boardroom. Because of the shift to remote and hybrid working, organisations had to increase their security budgets to enhance security barriers against opportunistic cyber attackers. Requests to increase IT security budgets are often denied, and while many understand the need to move to the cloud, asking the board for additional budget to uproot the company’s current IT infrastructure can prove difficult.
So how do we get to yes? First and foremost, let’s admit that security practitioners and executives often see the world from two very different vantage points - it is difficult for many on the security side to translate their needs into a business outcome. To get the board on board - those points must converge.
Presenting the problems
You might think the mega breaches that regularly fill headlines are a useful reference point. However, using the widespread fear about breaches as a proof point is a blunt and inaccurate tool at best.
Security practitioners are better off focusing on how to convince executives of the objectives that are specific to their organisation, and concentrate the argument solidly around the concept of risk.
Dredging up fear and paranoia is not helpful, but constructive caution is. The board should understand the risk that exists and how it will impact the business. Examples such as new attack vectors or poor employee security practices must be translated into how they directly affect the organisation. Speaking to the positive business effects from improved cybersecurity practices will win over talking technology.
The board will not expect you to fend off every single attack, but they should know that when the day does come - you’ll lead with resilience. That doesn't always mean stopping the fires from starting, but that when the worst does happen, you are ready to slide down the pole and put the fire out before it causes severe damage.
Providing the solutions
The board’s job is to think about the big picture, and oversee business objectives from the top down. From that lofty vantage point, it can often seem like security objectives are getting in the way of business agility. In order to get the board to understand your side you need to show them how security concerns and business objectives align, or better yet improve the bottom line.
Remote work is a perfect example of the relationship between security concerns and business objectives. In the past, remote work was marred by fears around productivity loss and weak controls over network access. Many of those fears have been alleviated over the steady acceleration of remote working worldwide and businesses are starting to see remote working as a positive force. As such, many executives are now planning for a hybrid workforce.
The security concerns, although diminished, still remain. Without the correct solution in place to ensure they can do so securely, employees will default to their own practices, devices, and preferred apps. This can create access headaches and a Shadow IT problem which can exacerbate security problems.
With distributed networks and employees it becomes increasingly crucial to passively monitor your remote workforce and employ machine learning to automatically understand when behaviour are deviating from normal.
If the board’s business objective is to maintain and ensure a productive hybrid remote workforce moving forward, then security personnel must be ready to help them understand the potential threats to the organisation, as well as employee productivity, and outline a plan that translates technology investments into business language.
When succeeding, security practitioners may be invisible to the business, but be very noticeable when they are not. Frequently seen as an obstacle to growth they need to be seen as a partner to the business.
Security teams must learn how to consistently communicate with the board in the business language that they understand to change perception at the very highest level within your enterprise.