Cybersecurity: a business decision for leadership

18 May, 2017

By Vikas Sharma, Associate Director, PwC Mauritius
Part 1 of 2

Vikas Sharma talks about the board’s engagement for cyber security. Please watch Part 2 of this series where he will discuss on how we apply gaming theory in the boardroom to help senior executives understand, identify, prevent and respond to cyber incidents.

A few years back, cybersecurity was something that did not get a lot of attention from boards. Today, when scanning headlines and news about the latest high-profile cyberattacks, your blood pressure elevates as you wonder: Could that happen to us? What would be the impact on our business? How would we respond to customers and shareholders? With such high stakes, most of us would agree that cyber security deserves full attention from the highest levels of an organisation.

A cyberattack or breach is not a matter of “if,” but “when”. When it does happen, preparation is everything. Although many boards recognise that cyber security is a risk that requires their specific attention, most struggle to define a comprehensive approach that will genuinely manage risk, rather than piecemeal initiatives with the hope that they are sufficient. As a result, the question remains as to whether the response to cyber security threats is adequate.

Organisations are unique and each needs to set its own direction and tone for cyber security. All aspects of a business including strategy, business development, supply chain, staff and customer experience will be impacted. In coming years, managing cyber security will potentially require radical changes to businesses and their operations.

A cyberattack or breach is not a matter of “if,” but “when”. When it does happen, preparation is everything.

From our engagements in different industry sectors, it is apparent that there is a need for a pragmatic approach to govern cyber security that is grounded in practical experience. There are many frameworks for the management of cyber security. However, there is little practical guidance as to what boards should consider in the governance of their organisation with regard to cyber security.

How can boards address the risk of cyber exposure within their organisation?

Boards need to align their cyber strategy with their business strategy and goals. This would enable them to understand and quantify their cyber risk environment. It’s imperative to protect what’s important by putting in place the right people and processes, so that they know where their critical information is located and how to safeguard it. Being secure enables organisations to reach new markets, suppliers, partners and continually adapt to changing customer demands.

Are board members supposed to manage cyber risk by themselves?

Is the cyber threat landscape evolves, boards have to continue to look for ways to get a better handgrip on how to oversee cybersecurity risk. Boards do understand the potential damage a breach can cause, but there is often a knowledge and translation deficit that can weigh on directors. Boards aren’t expected to have all the answers related to cyber risk, but they do need to engage with management and challenge them by asking the right questions, so they can stay on top of this complex and dynamic risk.

Who has the responsibility to drive a cybersecurity culture?

It all comes down to leadership and accountability. If the culture of the executive team says, “This is an IT problem and we’re just going to have some security guy deal with it,” this allows everybody to ignore their own responsibilities and assume some worker bee is going to handle this. But, if leadership recognises that it’s each and everyone’s responsibility to identify risks, then it’s a totally different mind-set.

A culture of accountability doesn’t mean everything is going to be perfect, but everybody will play their part to manage cyber risks. For example, the chief executive and executives in charge of sales, marketing, finance and operations, etc., need to understand their role in cybersecurity, in managing digital risk and in setting the right tone at the top.

What prevents boards from implementing cyber strategy?

The cost involved to implement a cyber strategy is making boards think twice when it comes to protecting their information assets. It depends on the industry, but nobody wants to spend money that could be profit on something that’s not their core business.

During our discussions with boards, we noticed that there were primarily two types of investment for cyber security. Firstly, if an organisation had just been compromised, they’d spend money at it and hope this issue goes away. The stakes are high, executives tell us that they consider reputational damage as the most devastating impact of a cyber breach, tailgated by legal, and enforcement costs.

Boards should probe to ask these questions to their executives:

1. Do we have the information we need to oversee cyber risk?
2. How effective is our cybersecurity strategy at addressing the risks that the business faces?
3. How do we protect our sensitive information handled, stored and transmitted by third parties and what about cyber insurance?
4. How do we stay abreast of the threat landscape around our industry and markets?
5. Do we have a tested cyber incident response plan?

Secondly, there are regulatory requirements for companies to be secure. However, there is still a presumption that implementing cyber strategy involves substantial investment.

Leaders need to acknowledge that cyber threats and cybercrime are issues that must be proactively addressed to move on the forefront of digital. They don’t have to spend a lot of money to be secure, but they do need to be sure on the risks they are trying to address to secure their environment and build confidence in the digital future.

How could corporate leaders encourage their executives to think about security, when it’s probably not something in their purview?

We encourage boards to start asking questions like, “What is the risk to our organisation; to our brand?” This can result in discussions where everybody is thinking differently about things that matter the most. For example a marketing person might think, “I don’t have anything to do with cybersecurity,” but once you involve them in such discussions, it boils down to the impact of an attack on the brand. Marketing being all about the customers and brand, they do in fact, have a role and stake in preventing the attacks.

Most organisations, before you start that conversation, take the approach of, “Well, our system is not internet facing, so we’re secure.” But if you start probing questions on how they would be affected, they think of things like impact on their product or what a security breach somewhere in the supply chain would mean for their business.

Another question is, “What is your response when there’s an incident?” Mature organisations will have an incident response plan, overseen by the chief information security officer who reports directly to the executive board. We encourage the board to ask, “What is your role if there’s an incident?” It generates ideas on what they’d respond to their shareholders if and when something went wrong.

Leading companies are integrating cybersecurity, privacy and digital ethics from the outset which enables them to actively engage with existing customers and attract new ones. Boards and executives having a sustained focus on cyber security, do more than protect their business; they enable growth in the digital age.

Contact us

Vikas Sharma

Partner, Cybersecurity & Privacy, PwC Mauritius

Tel: +230 404 5015

Ariane Serret

Media Relations, PwC Mauritius

Tel: +230 404 5029

Follow PwC Mauritius