How important is cyber risk to the board?

In the midst of the craziness of this week I was researching not for profit organisations when I discovered an anomaly in their annual reports.

The first report I read had no reference to cyber security, information security, business security and data security.   I though that that was a little strange, so I read another.

After downloading and reading 15 not for profit organisations annual reports from last year not one of them made any reference to what they were doing to safeguard their clients, users and sponsors information.

Even in the executive summary, protecting the assets was not mentioned.

One of the 15 had 3 pages on their IT infrastructure but this only discussed the number of people, servers and offices that were managed by the organisation and how people connected to the information required by staff to do their jobs.

If there is no information about cyber in an annual report, I have some questions?

Is the board room accountable to the shareholders when it comes to cyber?

The buck stops with you and if you are not taking into account the digital components of your organisation then you have a problem.

How serious is the board about protecting their staff and stake holders?

If they are not discussing it or just giving it lip service then there is going to be a time when the organisation will suffer a cyber event and no one will know what to do.

Business security is all about preparedness.   What will happen if this happens.  What will be the impact on the organisation in a cyber event.

Has risk management taken into account the unique risks associated with the digital world?

All of the risks in today’s business world have to be addressed.

Of all of the risks that businesses face today, probably 20% are traditional risks.   Some of them also have to be looked at with a cyber component.   For instance, what happens if you lose power, how are you going to mitigate the impact within the organisation at a digital level.

If risk has not been discussed how safe is the data?

A board not addressing today’s risk at management level shows a profound disrespect for the whole organisation.

A simple error, no matter what it is, can expose the organisation to financial, reputational and personal loss.    That loss can be incidental or profound, but if not addressed it will have an impact on the organisation.

Why do they not consider the digital world a risk to the organisation?

A recent discussion, actually about 4 years ago said that although everyone knows computers, not everyone understands the fundamentals of how they work.

Taking this attitude into the board room, everyone knows computers, will have a detrimental effect on business.   It will have a bigger impact because technology is changing.   The increased reliance on all things cloud based, mobile and social means we have to think outside the box.   We have to include all of these items in our understanding of the digital world and the impact on our risk analysis.

What has actually been done to safe guard the data under their control?

In most cases, very little.

We often see – the IT department will handle that!

That is wrong on so many levels.

There is a different skill set, business requirement and technology understanding between making the organisation safe at a digital level than keeping the lights on and the computers operating.

With all of the Compliance and governance in business, how have they got around doing it?

Delegation of duties, without delegating authority, is a regular occurrence.

Yes the ICT team will look after that.

But

Without the authority to make change, there are going to be large areas within the business that no one has focused on.

Compliance and governance are not a tick in the box process.

It is a complete over haul of business attitude to protect the data that your clients and staff have faith in you protecting.

Break that faith and see what happens to your organisation.

In addition to that governance and compliance are the realms of the board room, delegating it does not mitigate the risk associated with a cyber event.

Ignoring the impact of a cyber event at the board level has already caused a number of high visibility board members to resign or even worse be fired.

My conclusion

Somewhere we are failing.

The message is wrong, the medium is wrong or the people delivering the message are wrong.

No matter how much you slice it, getting people on boards to understand that digital is a thing and protecting data is a thing, is very difficult.

There is an old adage, “to get people to invest in disaster recovery burn down the building next door”.

The same applies in business security.

Getting boards to invest in digital and business security is have something happen.

Organisational wise or personal, an attack on them will get investment in protecting the organisation.

It is no longer a case of investing in insurance, today, digital protection is not insurance, it is an investment in your brand, your reputation, your staff and y

Why we need to treat business risk properly!

Risk Management – Today’s Balancing act is all about Business Risk

Why is it that until you are knee deep in a full blown cyber event, it is still just someone elses problem.

Or,

Until you have limited or no access to business resources, do we still think that it is someone elses problem.

When does it become a business problem?

When does it become something that YOU, as a manager, C level executive or board member, have to think about.

I have been asking that for years.

Risk management and reducing the impact of residual risk has been around for centuries.   We have always looked at natural disasters as a risk to the business.

When it comes to the digital components, the ones we use to do business, the ones that have a critical impact on every organisation, the ones we use to invoice, communicate and socialise with our clients and staff, why do we fail to see the impact.

We get blinders, a narrow viewpoint, we fail to see the risk that the digital world can deliver to the organisation.

We fail to see the significance of the risks that comes from our digital world.

If we do see it, it has to be an ICT problem.

We are talking about computers and data, therefore it has to be an ICT issue.

This is definitely one of the strangest attitudes in today’s world.

We can no longer treat business risk with the same attitude we have always done.

Today’s Business risk is a whole of business problem and needs a whole of business approach to manage it.

No matter the risk, all risk has an impact on your organisation.   All risk has to be treated.

No matter the system involved.

Business risk has to be treated by one of the following treatments.   Mitigate, accept, transfer or reduce,

Before you can apply a treatment to it you first need to acknowledge the risk itself.

To do that you have to think them through.

Every little thing that could and would impact the organisation and how the organisation will react needs to be processed.

This includes risks to reputation, data loss, finances as well as the impact of ransomware.

Have you taken all of your risks into account.