FINAL WORD
Calculate your security spending
through digital risk management
Board members can no longer avoid discussing their organisation’s security profile or risk
being shown as negligent to future threats, describes Rob Theis at Digital Shadows.
C
yberattacks on businesses are now
weekly news as breaches of data
are announced regularly. However,
until recently many corporate executives
did not understand or share the view of
its importance of addressing digital risk
at the Board level. The Board’s role in
understanding and monitoring digital
and cyber risk has been highlighted by
a multitude of lawsuits alleging Boards
were asleep at the switch in the face of a
known danger.
Executives and Boards at all
companies, especially public companies,
face mounting pressure to consider what a
worst-case cyber event would look like and
how that event would be handled. What
corporate governance structures would
kick in? What will the legal fallout be,
whether it is privacy litigation, shareholder
suits or criminal investigations? Board
of Director members are responsible for
ensuring the corporation is managed in
the shareholders’ best interest including:
# Fiduciary duties of directors
and officers regarding digital risk
and cybersecurity
Most officers and directors understand you
are acting on an informed basis, in good
faith, and in the company’s best interests.
Proper preparedness and risk management
are critical to insulating officers and
directors from liability. Boards must hold
frequent meetings to analyse cyber risks
and implement potential plans of actions.
If appropriate, create a committee
to review cyber issues and investigate
data incidents and breaches. Boards
must implement a risk management
programme, a monitoring plan, test the
programme to ensure compliance, and
investigate possible violations.
66
rule is a legal principle protecting officers,
directors, managers and other agents of a
corporation from liability for loss incurred
as a result of business decisions that are
within their authority and power to make
when sufficient evidence demonstrates that
the transactions were made in good faith.
# Investing in a digital
risk framework
Rob Theis, General Partner at World
Innovation Lab and Digital Shadows
Board Adviser.
# Officers and directors should
discharge their digital risk
fiduciary duties
Digital risk management programmes
must have the right technologies in place
to identify where risks can have the
most impact on the business and brand.
Companies should have policies in place
that detail the expected response to
incidents and ensure that system controls
are in place.
The companies best prepared to
prevent and respond to cyberattacks
recognise that this multifaceted
preparedness is an ongoing cycle, and not
simply a one-time list of tasks to complete.
To demonstrate that a Board has
properly discharged its duties, it must work
with management to ensure proper teams
have organised plans to prevent and respond
to any breaches. Therefore, a company must
constantly assess cyber risk trends and
threats. Just because nothing appears to
be happening on a daily, weekly, monthly
or annual basis, does not mean an incident
may not occur. The business judgement
Companies struggle to determine
how much to spend on IT security, an
investment many liken to insurance; no
one wants to pay more than they have to. If
you are a public company, spend the money
to protect the business. You no longer
can afford to penny pinch. The liabilities,
penalties and litigation impact are
significant. Companies spend an average
of 6–7% of their IT budget on security
technology, outside services and staff.
How much an organisation invests in
IT security stems from a range of criteria.
Companies that are consumer facing, have
a large attack surface, a recognised brand,
highly guarded intellectual property, and
compliance requirements to industry
regulations and government legislation
tend to outspend their peers.
The reality is organisations of all types
have experienced security breaches. There
remains a misplaced belief in security by
obscurity among organisations with lesser
known brands, smaller attack surface,
and less stringent industry regulations.
The situation in the last two to three
years has changed substantially. With so
many global state actors and well-funded
cybercrime organisations, IT security costs
are increasing rapidly. The right answer
does not start with a dollar figure, but
companies should work through a digital
risk management process.
Issue 15
INTELLIGENT TECH CHANNELS