SlideShare a Scribd company logo

Norman Broadbent Cybersecurity Report - How should boards respond

L
Lydia Shepherd

The document discusses how boards should respond to cybersecurity risks. It argues that boards need to make cybersecurity a priority and share responsibility for setting the cybersecurity agenda. The CIO should play a key advisory role to the board on technology implications, and boards may benefit from appointing a technology expert to the board. If the CIO is not board-ready, companies should consider elevating the CIO role or creating a Chief Risk Officer role to address cybersecurity at the board level.

1 of 8
Download to read offline
www.normanbroadbent.com Cybersecurity: How Should Boards Respond? April 2015 BOARD PAPERS
the power of the new cio Executive Summary As businesses evolve, technology plays an increasingly significant role in the organisation. Boards not only need to ask the right questions, but also take advantage of technology and use it as an opportunity for growth. Cybersecurity needs to become an issue CEOs know about and not just read about in the Financial Times and say ‘cybersecurity is managed by my IT department.’ Boards have a fundamentally equal role to play in planning for attacks to the business and crucially, the financial, operational and reputational implications of such a security breach. The CIO should play an important role as the strategic advisor around the technology implications at board level and in return the CIO must grasp the broader business strategy and articulate risk from a business perspective. Introduction In 2014, we witnessed a surge in the number of increasingly complex and sophisticated cyber-attacks across all industries, in large corporates, SMEs and start-ups. The scale is staggering: last year in the UK alone, cyber criminals compromised more than a billion data records in over 1500 breaches. The cost of rectifying these breaches is escalating: last year the average cost-to-company of a data breach was £2.5m, up 15% from 2013.1 It is also critical to recognise the effect that these incidents have on consumers; many of those that bank and shop online suffered the loss of their personal and financial data. Cybersecurity has moved far beyond an issue that can simply be resolved by expensive outsourcing or more investment in software or technology. Today’s cyber-attacks are complex, virtually undetectable, not constrained spatially or temporally and are driven by individuals and organisations that are resilient, persistent and able to innovate faster than their targets. The consequences can be devastating, often resulting in brand damage, loss of revenue and substantial fines. Faced with this reality, boards are under increasing pressure to address cyber risk as a fundamental priority aligned to the wider business strategy. How should the cyber agenda, often regarded as complex and deeply technical, become a whole-of-company responsibility driven at board level? 1 Deloitte (2014) Cyber Security: Empowering the CIO “There are only two types of companies: those that have been hacked and those that will be.” Robert Mueller, FBI Director
Cyber: The What, Why and How? As businesses grow, technology is no longer seen as a support function, instead it is the life-blood of the company; the new ‘mail room’ where the highly sensitive company assets are kept. Cybersecurity is the strategies, processes and people that protect and respond to threats to these assets. Cyber criminals take many forms, ranging from foreign intelligence services and industrial competitors to individual hackers, ideological ‘hacktivist’ groups and terrorists. The motivations behind these attacks are varied: financial gain, brand damage, and some crimes are simply committed for no other reason but that it is simply possible. Other threats such as human error, often stemming from company employees themselves, are not generally malicious but can be just as dangerous. A computer virus is the most common form of attack. Access can be gained remotely; spread through a network of computers, or proximately; by directly tampering with the technology in situ. Other common forms of attack include denial of service; overloading an area of a system rendering it inaccessible; phishing; an email sent to induce recipients to reveal their personal data, and backdoors; remotely securing access to a system and installing or modifying existing programmes. What does this all mean? We have established that these attacks come through the electronic or digital world and the ultimate target at stake is available data. The fundamental issue here is who can gain access to this data? The word ‘cyber’ is arguably a red herring; the issues facing companies are issues of data protection. www.normanbroadbent.com “It is clear that cyber-crime has a real and detrimental impact on the global economy. Over time, cyber-crime has become a growth industry; the returns are great, and the risks are low.” Raj Samani, EMEA Chief Technology Officer, McAfee There are four basic parts to a cyber-attack: 1. Reconnaissance: gathering information 2. Exploitation: identifying the weak areas that are open to manipulation 3. Access: gaining entry to a network or system 4. Goal: leveraging weaknesses to cause damage and disruption before covering tracks
Data is critical to any organisation, so the key question is: who holds responsibility for data within the organisation? Data is often pushed down several layers from the board and seen as overly complex and technical. In many organisations, it is the remit of the CIO; in others, the CISO or Chief Data Officer. In financial services organisations, it generally is the responsibility of the Chief Risk Officer as part of the wider financial, operational and prudential risks faced. In many cases, one could argue that the CRO has been elevated to the board of financial services organisations in response to regulatory requirements. As a result, even though most CROs have strong business strategy and risk heritage, many lack technological expertise. In short, many organisations have no coherent strategy on data and it is often split depending on whether the focus is on money, R&D, customer data or intellectual property. It is critical that issues surrounding data are discussed at board level, particularly the CEO and CIO working with the board to protect company assets and customer loyalty in the same way they protect other areas of the organisation. Data should be jointly evaluated and a decision reached around what is most valuable and what should be prioritised. In addition, when data is promoted to the board, it becomes a commercial driver and there is an opportunity for companies to be seen as a trusted holder of that information and use it intuitively to improve customer experience. the importance of data “The new generation of millennials expect companies to know everything relevant about them; they want a tailored buying experience.” Heather Jackson, Director, Actinista
www.normanbroadbent.com cybersecurity and the ‘corporate blind spot’ Many board directors are not fully aware of how technological changes are creating new and significant security challenges for their businesses. It doesn’t help that many current board directors have spent most of their careers in a pre-internet world. As a result, the lack of a technology savvy CEO and Chairman is often a ‘corporate blind spot’ where cyber security is concerned. Amongst CEOs and Chairmen in particular, there can be a feeling of ‘tech is below me, I’m more strategy.’ Moreover, as a CEO, if you do not know how to leverage technology to effectively strategise against cyber-attacks (and recover quickly following one), then a blind spot clearly exists. Additionally, a CIO who generally sits below the board, or simply that lacks the capability or opportunity to articulate how technology can be monetised is a further imperative to ensure cybersecurity becomes a whole- of-business responsibility. Deloitte argues that the CIO should be the lynchpin in the cybersecurity conversation: the visionary, the facilitator, the conduit for information and the challenger of the business. But what happens when the CIO is either not up to the job or does not have the right exposure within the organisation to drive this agenda? “The challenge lies with the boards that are not technologically literate. Phrases such as: ‘I have my secretary print out my emails’and ‘I don’t know how to use my smartphone properly’and ‘Facebook is for my kids’should never be heard.” Al Lakhani, MD, Alvarez & Marsall “If for the last 20 years as a CIO all you’ve been taught is to invent or deploy the next technology for cutting cost, it can be very difficult to think strategically and communicate in true business terms.” EJ Hilbert, Kroll “You would never dream of a CFO not coming to a board meeting. In addition, you would never see a CFO passing up using external audit or teams of external advisors. CFOs also wouldn’t be heard saying ‘Don’t worry; we’ve got a third party doing that.’ The same diligence has to be assigned to cybersecurity.” Val Rahmani, Non-Executive Director, Aberdeen Asset Management
Cybersecurity needs to be addressed by a fundamental change in the way a board communicates. CIOs need to move closer to the business and learn to communicate strategically around these issues. CEOs need to move closer to technology and should consider building an advisory board that includes the best strategist and thought-leaders on this issue and, potentially, think seriously about bringing a Non-Executive Director onto the board who has technological expertise. In 2007, Marks & Spencer brought in Martha Lane Fox, co- founder of Lastminute.com and UK Digital Champion, thus showing its commitment to driving its digital agenda. This year, Val Rahmani joined the board of Aberdeen Asset Management following a successful career at IBM specialising in internet security and we predict more companies will follow this lead. bringing cybersecurity to the board conclusion • Boards must share the responsibility for setting the cybersecurity agenda. • The CIO should play an important role as the strategic advisor around the technology implications at board level - and the reporting structure should reflect this. • If there is a dedicated Chief Data Officer then companies should think seriously about where this role reports into. • If the CIO is not board-ready, non-financial services companies should consider creating a Chief Risk Officer role, developing their existing CIO or hiring a new CIO who is credible to the board. • Chairmen and CEOs need to educate themselves on the key issues presented by cybersecurity and invest in external expertise or a Non-Executive Director with the appropriate expertise to ensure the right questions are asked. • Everyseniorstakeholderneedstobecommittedtotheagenda,asdoeseverypersonwithaccesstotheorganisation’s facilities, including employees, clients, vendors and third parties. • Employees as well as boards have to be educated in terms of business technology security and use: personal security behaviour is often overlooked in favour of the macro picture. • Cybersecurity is not finite and it is not covered by a one-size-fits-all solution; it needs to be treated as an ongoing process with the appropriate measures continually evaluated and the results of these evaluations acted upon. Many companies are unwilling to talk openly about cyber-attacks due to the fear of being stigmatised. This complicates efforts to share best practice and increase cyber awareness at board level. Information between competitors needs to be shared: in the US, the five largest film companies have scheduled monthly round-table meetings to discuss the threats that they are facing in order to pool their intelligence. This approach is slowly being taken up in the UK, but momentum needs to be gained.
acknowledgements norman broadbent cio practice British Private Equity Venture Capital Association (2015) Guide to cyber security Deloitte (2014) Cyber Security: Empowering the CIO Ernst Young (2014) How to use cybersecurity to generate business value HM Government (2014) Cyber Security: balancing risk and reward with confidence KPMG (2014) Cybersecurity: it’s not just about technology Adam Turner Managing Director, CIO TMT Practice Adam Turner joined in January 2011 to lead the Private Equity, TMT and CIO Centres of Excellence. His broad experience encompasses many different sectors - private equity, professional services, business process outsourcing, telecommunications, media and across the fin tech/high-tech sector. Functionally, Adam also has in-depth experience in the CIO area, where he has helped both listed and private equity backed businesses. Prior to joining Norman Broadbent he was the Head of the Private Equity and Technology, MediaTelecommunicationsandCIOPracticesandaPartnerintheBoardPracticeatOdgers Berndston. Adam moved into executive search in 1994 and joined Odgers in June 2004. Before entering the search industry, Adam worked for Bell Canada and Vodafone. His original search role was with another global search firm, Morgan Howard International, focused in the technology, media and telecommunications sectors. During this time he built operations and search practices globally and his final leaving position was as CEO. Adam has operated with both a national and international remit. He has lived and worked across four continents having successfully completed senior level searches in the UK, USA, Asia and EMEA. Adam was born in Zambia and has geographic expertise working across the African continent. Lydia Shepherd Associate, CIO Having graduated from Oxford University, Lydia worked as a sales-trader at Citigroup before transitioning into executive search. Lydia then spent three years at a boutique executive search firm delivering senior level technology, telecoms professional services assignments globally before joining Norman Broadbent in 2012. Lydia is functionally aligned to the CIO practice and has since delivered a number of Fortune 500 and FTSE 350 CIO assignments and a number of other senior level technology and digital roles across a variety of sectors. Alongside executive search, Lydia is involved with Norman Broadbent’s Diversity agenda and regularly represents the firm at conferences and government events. www.normanbroadbent.com
Norman Broadbent 12 St James’s Square | London | SW1Y 4LB | Tel: +44 (0) 20 7484 0000 | info@normanbroadbent.com www.normanbroadbent.com

Recommended

CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
David Sweigert
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
balejandre
 
NACD Directorship Article - Cyber July:Aug 2015 published
NACD Directorship Article - Cyber July:Aug 2015 publishedNACD Directorship Article - Cyber July:Aug 2015 published
NACD Directorship Article - Cyber July:Aug 2015 publishedPrista Corporation
 
In the news
In the newsIn the news
In the news
Rob Wilson
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-MaligecChristine Maligec, CRM-E, CRIS
 
cybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattcybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattYigal Behar
 

Recommended

CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
David Sweigert
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
balejandre
 
NACD Directorship Article - Cyber July:Aug 2015 published
NACD Directorship Article - Cyber July:Aug 2015 publishedNACD Directorship Article - Cyber July:Aug 2015 published
NACD Directorship Article - Cyber July:Aug 2015 publishedPrista Corporation
 
In the news
In the newsIn the news
In the news
Rob Wilson
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-MaligecChristine Maligec, CRM-E, CRIS
 
cybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattcybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattYigal Behar
 
August 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber AttackerAugust 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber Attacker
seadeloitte
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyCasey Fleming
 
ESR_cyberSecurity_issue-1-1 (1)
ESR_cyberSecurity_issue-1-1 (1)ESR_cyberSecurity_issue-1-1 (1)
ESR_cyberSecurity_issue-1-1 (1)Julie Bridgen
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...
Bala Guntipalli ♦ MBA
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...
Niren Thanky
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
EMC
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts finalDaren Dunkel
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletterDominic Vogel
 
Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital Future
Cognizant
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The Economist Media Businesses
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
Ensuring Cyber Security Resilience with a Skilled Workforce
Ensuring Cyber Security Resilience with a Skilled Workforce Ensuring Cyber Security Resilience with a Skilled Workforce
Ensuring Cyber Security Resilience with a Skilled Workforce
Zeshan Sattar
 
Corporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious GameCorporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious Game
Tatainteractive1
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voice
IBM India Smarter Computing
 
Cyber security money men
Cyber security money menCyber security money men
Cyber security money men
giorgiogarrido6
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of Directors
Abdul-Hakeem Ajijola
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Sarah Nirschl
 
CC_Futureinc_Cyber Security
CC_Futureinc_Cyber SecurityCC_Futureinc_Cyber Security
CC_Futureinc_Cyber SecurityAlistair Blake
 
Achieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress ReportAchieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress Report
Gov BizCouncil
 
TED Talk Script: "Giving Up Control - Leading in the Digital Era"
TED Talk Script: "Giving Up Control - Leading in the Digital Era"TED Talk Script: "Giving Up Control - Leading in the Digital Era"
TED Talk Script: "Giving Up Control - Leading in the Digital Era"
Charlene Li
 
Mobile Security: Preparing for the 2017 Threat Landscape
Mobile Security: Preparing for the 2017 Threat LandscapeMobile Security: Preparing for the 2017 Threat Landscape
Mobile Security: Preparing for the 2017 Threat Landscape
BlackBerry
 

More Related Content

What's hot

August 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber AttackerAugust 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber Attacker
seadeloitte
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyCasey Fleming
 
ESR_cyberSecurity_issue-1-1 (1)
ESR_cyberSecurity_issue-1-1 (1)ESR_cyberSecurity_issue-1-1 (1)
ESR_cyberSecurity_issue-1-1 (1)Julie Bridgen
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...
Bala Guntipalli ♦ MBA
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...
Niren Thanky
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
EMC
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts finalDaren Dunkel
 
Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital Future
Cognizant
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The Economist Media Businesses
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
Ensuring Cyber Security Resilience with a Skilled Workforce
Ensuring Cyber Security Resilience with a Skilled Workforce Ensuring Cyber Security Resilience with a Skilled Workforce
Ensuring Cyber Security Resilience with a Skilled Workforce
Zeshan Sattar
 
Corporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious GameCorporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious Game
Tatainteractive1
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voice
IBM India Smarter Computing
 
Cyber security money men
Cyber security money menCyber security money men
Cyber security money men
giorgiogarrido6
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of Directors
Abdul-Hakeem Ajijola
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Sarah Nirschl
 
CC_Futureinc_Cyber Security
CC_Futureinc_Cyber SecurityCC_Futureinc_Cyber Security
CC_Futureinc_Cyber SecurityAlistair Blake
 

What's hot (19)

August 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber AttackerAugust 2017 - Anatomy of a Cyber Attacker
August 2017 - Anatomy of a Cyber Attacker
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity Literacy
 
ESR_cyberSecurity_issue-1-1 (1)
ESR_cyberSecurity_issue-1-1 (1)ESR_cyberSecurity_issue-1-1 (1)
ESR_cyberSecurity_issue-1-1 (1)
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts final
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
 
Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital Future
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
Ensuring Cyber Security Resilience with a Skilled Workforce
Ensuring Cyber Security Resilience with a Skilled Workforce Ensuring Cyber Security Resilience with a Skilled Workforce
Ensuring Cyber Security Resilience with a Skilled Workforce
 
Corporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious GameCorporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious Game
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voice
 
Cyber security money men
Cyber security money menCyber security money men
Cyber security money men
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of Directors
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
 
CC_Futureinc_Cyber Security
CC_Futureinc_Cyber SecurityCC_Futureinc_Cyber Security
CC_Futureinc_Cyber Security
 

Viewers also liked

Achieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress ReportAchieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress Report
Gov BizCouncil
 
TED Talk Script: "Giving Up Control - Leading in the Digital Era"
TED Talk Script: "Giving Up Control - Leading in the Digital Era"TED Talk Script: "Giving Up Control - Leading in the Digital Era"
TED Talk Script: "Giving Up Control - Leading in the Digital Era"
Charlene Li
 
Mobile Security: Preparing for the 2017 Threat Landscape
Mobile Security: Preparing for the 2017 Threat LandscapeMobile Security: Preparing for the 2017 Threat Landscape
Mobile Security: Preparing for the 2017 Threat Landscape
BlackBerry
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK
Boris Loukanov
 
Top 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTop 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security Dashboard
Tripwire
 
10 LAUGH Lessons
10 LAUGH Lessons10 LAUGH Lessons
10 LAUGH Lessons
OH TEIK BIN
 
100 images for visual brainstorming
100 images for visual brainstorming100 images for visual brainstorming
100 images for visual brainstorming
Marc Heleven
 
TED Talk "Giving Up Control: Leading in the Digital Era"
TED Talk "Giving Up Control: Leading in the Digital Era"TED Talk "Giving Up Control: Leading in the Digital Era"
TED Talk "Giving Up Control: Leading in the Digital Era"
Charlene Li
 
2017 Cybersecurity Predictions
2017 Cybersecurity Predictions2017 Cybersecurity Predictions
2017 Cybersecurity Predictions
PaloAltoNetworks
 
20 Jokes For Students
20 Jokes For Students20 Jokes For Students
20 Jokes For Students
OH TEIK BIN
 
Words Matter: The Art of Getting People to Do What You Want
Words Matter: The Art of Getting People to Do What You WantWords Matter: The Art of Getting People to Do What You Want
Words Matter: The Art of Getting People to Do What You Want
Kevin Lilly
 
Funny Pics
Funny PicsFunny Pics
Funny Pics
Jorge Franca
 
Effective speech and oral communication
Effective speech and oral communicationEffective speech and oral communication
Effective speech and oral communication
RichardBanez
 
100 extra images for visual brainstorming
100 extra images for visual brainstorming100 extra images for visual brainstorming
100 extra images for visual brainstorming
Marc Heleven
 
"The Engaged Leader" at SXSW Interactive
"The Engaged Leader" at SXSW Interactive"The Engaged Leader" at SXSW Interactive
"The Engaged Leader" at SXSW Interactive
Charlene Li
 
The 7 habits of highly effective people slideshare-31-10-2010
The 7 habits of highly effective people slideshare-31-10-2010The 7 habits of highly effective people slideshare-31-10-2010
The 7 habits of highly effective people slideshare-31-10-2010
CMA Tapan Kumar Dhar
 
The Best Startup Investor Pitch Deck & How to Present to Angels & Venture Cap...
The Best Startup Investor Pitch Deck & How to Present to Angels & Venture Cap...The Best Startup Investor Pitch Deck & How to Present to Angels & Venture Cap...
The Best Startup Investor Pitch Deck & How to Present to Angels & Venture Cap...
J. Skyler Fernandes
 

Viewers also liked (18)

Achieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress ReportAchieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress Report
 
TED Talk Script: "Giving Up Control - Leading in the Digital Era"
TED Talk Script: "Giving Up Control - Leading in the Digital Era"TED Talk Script: "Giving Up Control - Leading in the Digital Era"
TED Talk Script: "Giving Up Control - Leading in the Digital Era"
 
Mobile Security: Preparing for the 2017 Threat Landscape
Mobile Security: Preparing for the 2017 Threat LandscapeMobile Security: Preparing for the 2017 Threat Landscape
Mobile Security: Preparing for the 2017 Threat Landscape
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK
 
Top 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTop 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security Dashboard
 
10 LAUGH Lessons
10 LAUGH Lessons10 LAUGH Lessons
10 LAUGH Lessons
 
100 images for visual brainstorming
100 images for visual brainstorming100 images for visual brainstorming
100 images for visual brainstorming
 
TED Talk "Giving Up Control: Leading in the Digital Era"
TED Talk "Giving Up Control: Leading in the Digital Era"TED Talk "Giving Up Control: Leading in the Digital Era"
TED Talk "Giving Up Control: Leading in the Digital Era"
 
2017 Cybersecurity Predictions
2017 Cybersecurity Predictions2017 Cybersecurity Predictions
2017 Cybersecurity Predictions
 
20 Jokes For Students
20 Jokes For Students20 Jokes For Students
20 Jokes For Students
 
Words Matter: The Art of Getting People to Do What You Want
Words Matter: The Art of Getting People to Do What You WantWords Matter: The Art of Getting People to Do What You Want
Words Matter: The Art of Getting People to Do What You Want
 
Funny Pics
Funny PicsFunny Pics
Funny Pics
 
Effective speech and oral communication
Effective speech and oral communicationEffective speech and oral communication
Effective speech and oral communication
 
Gastroenteritis ppt
Gastroenteritis pptGastroenteritis ppt
Gastroenteritis ppt
 
100 extra images for visual brainstorming
100 extra images for visual brainstorming100 extra images for visual brainstorming
100 extra images for visual brainstorming
 
"The Engaged Leader" at SXSW Interactive
"The Engaged Leader" at SXSW Interactive"The Engaged Leader" at SXSW Interactive
"The Engaged Leader" at SXSW Interactive
 
The 7 habits of highly effective people slideshare-31-10-2010
The 7 habits of highly effective people slideshare-31-10-2010The 7 habits of highly effective people slideshare-31-10-2010
The 7 habits of highly effective people slideshare-31-10-2010
 
The Best Startup Investor Pitch Deck & How to Present to Angels & Venture Cap...
The Best Startup Investor Pitch Deck & How to Present to Angels & Venture Cap...The Best Startup Investor Pitch Deck & How to Present to Angels & Venture Cap...
The Best Startup Investor Pitch Deck & How to Present to Angels & Venture Cap...
 

Similar to Norman Broadbent Cybersecurity Report - How should boards respond

Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022
Matthew Rosenquist
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen Hamilton
 
2017 october supplementary_reading
2017 october supplementary_reading2017 october supplementary_reading
2017 october supplementary_reading
seadeloitte
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
Livingstone Advisory
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
International Federation of Accountants
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Accenture Technology
 
The Future of Cybersecurity
The Future of CybersecurityThe Future of Cybersecurity
The Future of Cybersecurity
TheWiltonBainGroup
 
5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams 5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams
Arun Chinnaraju MBA, PMP, CSM, CSPO, SA
 
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
incmagazineseo
 
10 Most Influential Leaders in Cybersecurity, 2022.pdf
10 Most Influential Leaders in Cybersecurity, 2022.pdf10 Most Influential Leaders in Cybersecurity, 2022.pdf
10 Most Influential Leaders in Cybersecurity, 2022.pdf
CIO Look Magazine
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Ernst & Young
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
NishantSisodiya
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
EMC
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessibleCharmaine Servado
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprises
Taranggg11
 
4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady
Starttech Ventures
 
BIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionBIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special Edition
CBIZ, Inc.
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10
David X Martin
 
Untitled document.otd
Untitled document.otdUntitled document.otd
Untitled document.otd
hamzarajpoot33
 
Snapshot UK CIO 2018
Snapshot UK CIO 2018 Snapshot UK CIO 2018
Snapshot UK CIO 2018
David Germain
 

Similar to Norman Broadbent Cybersecurity Report - How should boards respond (20)

Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of Directors
 
2017 october supplementary_reading
2017 october supplementary_reading2017 october supplementary_reading
2017 october supplementary_reading
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
 
The Future of Cybersecurity
The Future of CybersecurityThe Future of Cybersecurity
The Future of Cybersecurity
 
5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams 5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams
 
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
 
10 Most Influential Leaders in Cybersecurity, 2022.pdf
10 Most Influential Leaders in Cybersecurity, 2022.pdf10 Most Influential Leaders in Cybersecurity, 2022.pdf
10 Most Influential Leaders in Cybersecurity, 2022.pdf
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprises
 
4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady
 
BIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionBIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special Edition
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10
 
Untitled document.otd
Untitled document.otdUntitled document.otd
Untitled document.otd
 
Snapshot UK CIO 2018
Snapshot UK CIO 2018 Snapshot UK CIO 2018
Snapshot UK CIO 2018
 

Norman Broadbent Cybersecurity Report - How should boards respond

  • 2. the power of the new cio Executive Summary As businesses evolve, technology plays an increasingly significant role in the organisation. Boards not only need to ask the right questions, but also take advantage of technology and use it as an opportunity for growth. Cybersecurity needs to become an issue CEOs know about and not just read about in the Financial Times and say ‘cybersecurity is managed by my IT department.’ Boards have a fundamentally equal role to play in planning for attacks to the business and crucially, the financial, operational and reputational implications of such a security breach. The CIO should play an important role as the strategic advisor around the technology implications at board level and in return the CIO must grasp the broader business strategy and articulate risk from a business perspective. Introduction In 2014, we witnessed a surge in the number of increasingly complex and sophisticated cyber-attacks across all industries, in large corporates, SMEs and start-ups. The scale is staggering: last year in the UK alone, cyber criminals compromised more than a billion data records in over 1500 breaches. The cost of rectifying these breaches is escalating: last year the average cost-to-company of a data breach was £2.5m, up 15% from 2013.1 It is also critical to recognise the effect that these incidents have on consumers; many of those that bank and shop online suffered the loss of their personal and financial data. Cybersecurity has moved far beyond an issue that can simply be resolved by expensive outsourcing or more investment in software or technology. Today’s cyber-attacks are complex, virtually undetectable, not constrained spatially or temporally and are driven by individuals and organisations that are resilient, persistent and able to innovate faster than their targets. The consequences can be devastating, often resulting in brand damage, loss of revenue and substantial fines. Faced with this reality, boards are under increasing pressure to address cyber risk as a fundamental priority aligned to the wider business strategy. How should the cyber agenda, often regarded as complex and deeply technical, become a whole-of-company responsibility driven at board level? 1 Deloitte (2014) Cyber Security: Empowering the CIO “There are only two types of companies: those that have been hacked and those that will be.” Robert Mueller, FBI Director
  • 3. Cyber: The What, Why and How? As businesses grow, technology is no longer seen as a support function, instead it is the life-blood of the company; the new ‘mail room’ where the highly sensitive company assets are kept. Cybersecurity is the strategies, processes and people that protect and respond to threats to these assets. Cyber criminals take many forms, ranging from foreign intelligence services and industrial competitors to individual hackers, ideological ‘hacktivist’ groups and terrorists. The motivations behind these attacks are varied: financial gain, brand damage, and some crimes are simply committed for no other reason but that it is simply possible. Other threats such as human error, often stemming from company employees themselves, are not generally malicious but can be just as dangerous. A computer virus is the most common form of attack. Access can be gained remotely; spread through a network of computers, or proximately; by directly tampering with the technology in situ. Other common forms of attack include denial of service; overloading an area of a system rendering it inaccessible; phishing; an email sent to induce recipients to reveal their personal data, and backdoors; remotely securing access to a system and installing or modifying existing programmes. What does this all mean? We have established that these attacks come through the electronic or digital world and the ultimate target at stake is available data. The fundamental issue here is who can gain access to this data? The word ‘cyber’ is arguably a red herring; the issues facing companies are issues of data protection. www.normanbroadbent.com “It is clear that cyber-crime has a real and detrimental impact on the global economy. Over time, cyber-crime has become a growth industry; the returns are great, and the risks are low.” Raj Samani, EMEA Chief Technology Officer, McAfee There are four basic parts to a cyber-attack: 1. Reconnaissance: gathering information 2. Exploitation: identifying the weak areas that are open to manipulation 3. Access: gaining entry to a network or system 4. Goal: leveraging weaknesses to cause damage and disruption before covering tracks
  • 4. Data is critical to any organisation, so the key question is: who holds responsibility for data within the organisation? Data is often pushed down several layers from the board and seen as overly complex and technical. In many organisations, it is the remit of the CIO; in others, the CISO or Chief Data Officer. In financial services organisations, it generally is the responsibility of the Chief Risk Officer as part of the wider financial, operational and prudential risks faced. In many cases, one could argue that the CRO has been elevated to the board of financial services organisations in response to regulatory requirements. As a result, even though most CROs have strong business strategy and risk heritage, many lack technological expertise. In short, many organisations have no coherent strategy on data and it is often split depending on whether the focus is on money, R&D, customer data or intellectual property. It is critical that issues surrounding data are discussed at board level, particularly the CEO and CIO working with the board to protect company assets and customer loyalty in the same way they protect other areas of the organisation. Data should be jointly evaluated and a decision reached around what is most valuable and what should be prioritised. In addition, when data is promoted to the board, it becomes a commercial driver and there is an opportunity for companies to be seen as a trusted holder of that information and use it intuitively to improve customer experience. the importance of data “The new generation of millennials expect companies to know everything relevant about them; they want a tailored buying experience.” Heather Jackson, Director, Actinista
  • 5. www.normanbroadbent.com cybersecurity and the ‘corporate blind spot’ Many board directors are not fully aware of how technological changes are creating new and significant security challenges for their businesses. It doesn’t help that many current board directors have spent most of their careers in a pre-internet world. As a result, the lack of a technology savvy CEO and Chairman is often a ‘corporate blind spot’ where cyber security is concerned. Amongst CEOs and Chairmen in particular, there can be a feeling of ‘tech is below me, I’m more strategy.’ Moreover, as a CEO, if you do not know how to leverage technology to effectively strategise against cyber-attacks (and recover quickly following one), then a blind spot clearly exists. Additionally, a CIO who generally sits below the board, or simply that lacks the capability or opportunity to articulate how technology can be monetised is a further imperative to ensure cybersecurity becomes a whole- of-business responsibility. Deloitte argues that the CIO should be the lynchpin in the cybersecurity conversation: the visionary, the facilitator, the conduit for information and the challenger of the business. But what happens when the CIO is either not up to the job or does not have the right exposure within the organisation to drive this agenda? “The challenge lies with the boards that are not technologically literate. Phrases such as: ‘I have my secretary print out my emails’and ‘I don’t know how to use my smartphone properly’and ‘Facebook is for my kids’should never be heard.” Al Lakhani, MD, Alvarez & Marsall “If for the last 20 years as a CIO all you’ve been taught is to invent or deploy the next technology for cutting cost, it can be very difficult to think strategically and communicate in true business terms.” EJ Hilbert, Kroll “You would never dream of a CFO not coming to a board meeting. In addition, you would never see a CFO passing up using external audit or teams of external advisors. CFOs also wouldn’t be heard saying ‘Don’t worry; we’ve got a third party doing that.’ The same diligence has to be assigned to cybersecurity.” Val Rahmani, Non-Executive Director, Aberdeen Asset Management
  • 6. Cybersecurity needs to be addressed by a fundamental change in the way a board communicates. CIOs need to move closer to the business and learn to communicate strategically around these issues. CEOs need to move closer to technology and should consider building an advisory board that includes the best strategist and thought-leaders on this issue and, potentially, think seriously about bringing a Non-Executive Director onto the board who has technological expertise. In 2007, Marks & Spencer brought in Martha Lane Fox, co- founder of Lastminute.com and UK Digital Champion, thus showing its commitment to driving its digital agenda. This year, Val Rahmani joined the board of Aberdeen Asset Management following a successful career at IBM specialising in internet security and we predict more companies will follow this lead. bringing cybersecurity to the board conclusion • Boards must share the responsibility for setting the cybersecurity agenda. • The CIO should play an important role as the strategic advisor around the technology implications at board level - and the reporting structure should reflect this. • If there is a dedicated Chief Data Officer then companies should think seriously about where this role reports into. • If the CIO is not board-ready, non-financial services companies should consider creating a Chief Risk Officer role, developing their existing CIO or hiring a new CIO who is credible to the board. • Chairmen and CEOs need to educate themselves on the key issues presented by cybersecurity and invest in external expertise or a Non-Executive Director with the appropriate expertise to ensure the right questions are asked. • Everyseniorstakeholderneedstobecommittedtotheagenda,asdoeseverypersonwithaccesstotheorganisation’s facilities, including employees, clients, vendors and third parties. • Employees as well as boards have to be educated in terms of business technology security and use: personal security behaviour is often overlooked in favour of the macro picture. • Cybersecurity is not finite and it is not covered by a one-size-fits-all solution; it needs to be treated as an ongoing process with the appropriate measures continually evaluated and the results of these evaluations acted upon. Many companies are unwilling to talk openly about cyber-attacks due to the fear of being stigmatised. This complicates efforts to share best practice and increase cyber awareness at board level. Information between competitors needs to be shared: in the US, the five largest film companies have scheduled monthly round-table meetings to discuss the threats that they are facing in order to pool their intelligence. This approach is slowly being taken up in the UK, but momentum needs to be gained.
  • 7. acknowledgements norman broadbent cio practice British Private Equity Venture Capital Association (2015) Guide to cyber security Deloitte (2014) Cyber Security: Empowering the CIO Ernst Young (2014) How to use cybersecurity to generate business value HM Government (2014) Cyber Security: balancing risk and reward with confidence KPMG (2014) Cybersecurity: it’s not just about technology Adam Turner Managing Director, CIO TMT Practice Adam Turner joined in January 2011 to lead the Private Equity, TMT and CIO Centres of Excellence. His broad experience encompasses many different sectors - private equity, professional services, business process outsourcing, telecommunications, media and across the fin tech/high-tech sector. Functionally, Adam also has in-depth experience in the CIO area, where he has helped both listed and private equity backed businesses. Prior to joining Norman Broadbent he was the Head of the Private Equity and Technology, MediaTelecommunicationsandCIOPracticesandaPartnerintheBoardPracticeatOdgers Berndston. Adam moved into executive search in 1994 and joined Odgers in June 2004. Before entering the search industry, Adam worked for Bell Canada and Vodafone. His original search role was with another global search firm, Morgan Howard International, focused in the technology, media and telecommunications sectors. During this time he built operations and search practices globally and his final leaving position was as CEO. Adam has operated with both a national and international remit. He has lived and worked across four continents having successfully completed senior level searches in the UK, USA, Asia and EMEA. Adam was born in Zambia and has geographic expertise working across the African continent. Lydia Shepherd Associate, CIO Having graduated from Oxford University, Lydia worked as a sales-trader at Citigroup before transitioning into executive search. Lydia then spent three years at a boutique executive search firm delivering senior level technology, telecoms professional services assignments globally before joining Norman Broadbent in 2012. Lydia is functionally aligned to the CIO practice and has since delivered a number of Fortune 500 and FTSE 350 CIO assignments and a number of other senior level technology and digital roles across a variety of sectors. Alongside executive search, Lydia is involved with Norman Broadbent’s Diversity agenda and regularly represents the firm at conferences and government events. www.normanbroadbent.com
  • 8. Norman Broadbent 12 St James’s Square | London | SW1Y 4LB | Tel: +44 (0) 20 7484 0000 | info@normanbroadbent.com www.normanbroadbent.com