Cybersecurity in the Boardroom: From Risk to Strategic Advantage

[Music] so um when last did you go to the doctor a couple of weeks ago yeah okay so maybe this will be fresh in your mind right I want you to imagine that you're going to the doctor and when you get there the doctor's asking you what's wrong with you they take note of all of your symptoms um and they have some idea of what you know what exactly is going on and they have a diagnosis they'll explain it to you and you've got like this 15minute window in which they explain all of this information to you and then they start writing a couple of things down so they write things down on like their

notepad um and then eventually they also write you a script because you may need some medication and this is what you get right does this look familiar to anyone okay so you take this right uh I don't know if you actually remember what the doctor told you because sometimes they'll tell you okay I'm prescribing this and they list all the things that they're prescribing they tell you when you're supposed to take it how to take it and uh but it's all done in like 15 minutes I mean how much of that did you remember exactly I can tell you for me I don't remember that much right I just wait for the pharmacist to tell me now

you go to the pharmacist and you give them your scripts right right and that's what it looks like uh but only the pharmacist knows what that means right so so you have no idea you have all your faith in the pharmacist and by the way you've forgotten what the doctor told you right so the the pharmacist is going to um translate that into clear text and you get there and they start typing things up and they put it in a very nice label and they put it on and then they also tell you how to take these things when to take them and sometimes you might have questions and you'll ask them but again short window of time right you're

standing in the queue you get that you go home and they give you the pills that's the that's what it looks like you trust that they've given you the right information uh the right pills you have no way of determining that that's correct or not because you know I'm sure you can't actually remember what the doctor said so you take it blindly right you trust them now I gave you the view of you walking in as a patient now imagine you're the doctor because that's what we kind of do all the time we forget that we have certain technical information that other people don't necessarily know and sometimes we think that the person doesn't need to know certain levels of

information so we don't share that all the time um and when we do share it we forget some of the base knowledge that we have and what that actually means we just assume the person is on the same level as us and that's what cyber security is Right explaining cyber security to someone who is not in cyber security I'm very glad that the room uh emptied out very quickly because the people that I am going to offend are not here so thank you guys for staying um now I want to get into some of the detail right uh in so my name is sandika my day job part of my day job for a good number of years includes

putting together board packs so packs that go to exco and then to various audits uh various board subcommittees notably the audit committee and the board itself the board committee and I predominantly put together very technical information it related information um and I have to translate that into a way that helps them understand how we are governing our environment and how we are managing certain risks within our environment um and then my other job when I Moonlight is that I sit as a board member sometimes a board member sometimes an audit Committee Member mostly as an it well they call me an IT expert they use my it expertise to help decipher some of this information and

understand what does it mean for a board how do they make sense of this information are we as a board are we are we handling taking you know managing our F fiduciary responsibilities in terms of it governance from a king for perspective that's pretty important so do we that's that's my job to help identify are there any gaps there is there something that I can advise management to do better so these numbers that I wanted to share is what uh some of them is very like that 277 sometimes you see that number sometimes you see 182 that's the number of days it takes to detect a cyber breach um in the board your board members 88% of them view cyber security

as a business risk they no longer see it as an IT risk a business risk yet only 3.9% of board members have any form of cyber or it or data experience at all that's a shocking shocking number so board members know the import importance of it yet they don't have the expertise and we know that it takes about 9 months for a cyber breach to go undetect it um the question I'm often asked is are board members concerned about cyber security and I think they are it's just that they don't say it that way um they use different words different ter terminologies right um these are the words I guess that we use but it all

talks about cyber security so from a board is responsible to their shareholders if you look at the companies act if you look at king4 they all talk about um us making sure that we manage any risks to the environment one of those risks would be cyber security making sure that your business is a going concern making sure that um you manage your reputation all of those sorts of things from a regul perspective we've got lots of regulations out there um notably Poppy and we need to ensure that we comply to those regulations we're also responsible for holding customer data we customers hold us accountable for the information that we have of theirs and what we do with that information um we

work with partners and suppliers nobody wants to work with a company who is reckless with um how they manage their systems and and the way that uh systems talk to each other and how the data flows and then the media like my Broadband um you don't want to be on the wrong side of the media right you you want to be able to to convey the message that you are managing your risks appropriately and then again the you know the board is responsible for is well accountable to the community itself think about any company you know what do you do what services do you provide it's not necess neily just to your customers it could be

the to the community at large are you providing um services to like the most vulnerable members in the community for example are they reliant on your systems and platforms to be up and running um so that's what a board is responsible for and each one of those items talk about cyber security so they are very much aware that cyber security is a problem or a concern concern for them they just don't use the same language now remember the example of the doctor going to the doctor I want you to think about that example throughout this entire presentation right because I just want you the the point of this this presentation is talk about translating that so I just explained that we are the

doctors we are talking to pharmacists we are trying to explain to our patients but our patients don't always understand um our patients don't remember they don't understand they come to us for advice they know that the advice that we give them is sound and accurate and true but how do we make sure that they understand they leave our rooms with the right level of understanding right um so for a while we've been talking about having cesos get a seat at the table because that solves the problem in terms of translation so if you've got the cesos at the boardroom table itself the the your board members that you know the rest of the 3.9% they don't have to wonder they've got

someone who can advise them sitting in there but it's not as common as we think right um 75% of organizations of board members feel like they adequately invest in cyber so they spend a lot of money in cyber yet 47% of them feel that they're unprepared to deal with attack so they're spending money because someone's telling them this is important and you need to invest the money to protect yourself yet they still feel like the money that they've spent is not adequate to help them in an attack and yet only 12% of cesos sit on a board 12% which means that most of the cyber security agenda is being driven by CIO maybe CFO maybe but ultimately whose

risk is this it's a CEO's risk right we we often think that the ceso needs to be there to be present which helps with the translation but at the end of the day the CEO is responsible for cyber risks the same way we hold C CEOs accountable for anything else that goes on in the organization yet for some reason when it comes to things about cyber security we sorry that's too technical for me then me bring in someone in it so I want to talk to to you about the ciso evolution right back in the '90s when you know we still started with information security was very limited in terms of what we were securing a lot of

authentication basic authentication um credential management we were just starting to see a lot of the foundational elements that we see now in about 2000 we moved to a Regulatory Compliance era so now we had to take information security pretty seriously because it wasn't just a matter of protecting the organization because we want to or because it was the right thing to do but rather because we were we needed to comply to certain regulations so that helped um you know Elevate the role of of cyber security then around 205 we saw a move towards us being a bit more proactive in terms of managing our risks so we were more risk aware rather than dealing with things as

in when they came up we we started being a bit more proactive with that um in about 2010 it was more around actual threats we were seeing so we moved to that threat aware era then in about 2015 privacy and data aware in terms of in terms of like gdpr um and a lot of the Privacy regulation that became a lot more mainstream and customers also knew about it customers started demanding more um so right now in about 2020 we're seeing a lot of these seos being included in the sea Suite themselves um which by the way is not necessarily the answer we don't always need to have the Seesaw in there I think the point is to

make sure that we have the right level of information for the right people to make the decisions um so that's the evolution we've done a lot yet there's still a disconnect between the ciso and the board so the board still doesn't understand cyber security you've seen the stats the ceso obviously understands but for some reason the board doesn't understand what the ceso is presenting and why is that I think for in the most yeah mostly it's because there's different priorities so if you look at the seource priorities at the moment it revolves around things like Insider threat email fraud business email compromise um managing your security risk in the face of business disruption and things like vulnerability

management so those are the top concerns in terms of what a ceso is involved in dat today but what is the board actually aware of the board actually doesn't really care about any of that right they want to know are we safe from a ransomware attack tell me that right what do we do in the face of ransomware attack um I'm worried about my cloud how safe is my cloud is there any risk of compromise in that cloud um what happens in the event of a security incident how are we able to handle that and how quickly can we manage that what about business continuity tell me how will I continue my business operations should something happen should attack

should a breach happen and then sustainability of the function of the organization of everything right so how do we bridge that Gap and I think that's where the ceso comes in it's it's creating that fine balance between the two um it's very clear what the board wants they want to know what's the risks to my business tell me the risks and tell me how well we're managing those risks and are those risks costing me money right speak in simple business language the when we when we look at the board the board understands things like profit and loss um they understand business they understand the core elements of their business so when we come to them we need

to speak to them in that language um so what do they really need from cesos well actually they want Council right they want they want someone who is technical to say let me look look at this data and let me translate it into something of that is a real business risk to you uh and and it's also a bit of Education as well it's it's how do you convince the board and the SE Suite to assume responsibility for data and system security if I had to ask you right now who is responsible for cyber security risk what what would your answer be anyone yeah any answers who is responsible for cyber security risk CEO yeah CEO right I know we say it's

everyone's responsibility but if if we had to hold one person accountable it would be the CEO how many CEOs know that they're responsible for that yeah so so it's a bit of Education in terms of how do we teach them and how do we counsel and advise them to say you as the SE Suite this is what you should be responsible for so yes you might be developing new products and services but do you know what you are what you need to be responsible for in terms of a cyber risk um I think we we also need to position our assessments from the board's perspective right think about what is the board most concerned about

and then tell them how could could these risks affect them from meeting their objectives right and then that's pretty simple take one look at the Strategic risk register and you know exactly what they're worried about so show them how anything in your environment has an impact on that um and then you know we're very good at quantifying risks or yeah quantifying risks in terms of what is the impact of the risk occurring what is the impact when a risk occurs what is the likelihood of it occurring we put it together we get a number and then we put it in as a high medium low plotted on a on a heat map and we present it to the

board that is something that we can easily do that's something the board understands but I think sometimes when it's a very technical topic they don't necessarily understand what that means what does a color coding mean they know red means bad but maybe let's try and quantify it into something that actually makes a bit more sense to them um one of the ways is to look at it in terms of actual money because we know we know those things so you know in the event of a a breach what would a fine be we know that so put that down right don't have to say it's high we can say well this is the value at

risk um and then in terms of actually providing solutions to the board so when you bring them all of the problems provide the solutions that mitigates that business risk and make sure that you can easily articulate that into what do we need to do right now because the one thing you don't want to do is scare the board so you don't want to tell them you need to do all of these things right now and if if you don't we are at serious risk of attack and yes that might be true but we need to also be able to manage our resources like what is what do we need to put in place right now what can we

live with for a few months for a year what does that road map look like so taking it from a shortterm to a long-term um solution and providing them with something that is a bit more tangible that makes sense it says here's our road map this is what we need to do and then let's look at the risks this is how it's going to help us manage those risks but it's not just to up to the cesos to do that right the board has a part to play as well now what does a board do well they're responsible for General oversight of the organization I mentioned earlier that they um that they report to the shareholders they they are

accountable to a number of other stakeholders like your community and all that but they can not get involved in day-to-day operations what they can do though is provide the general direction in terms of what do we need to do how do we need to do give do it given the resources that we have so um so they can you know they would be looking at like what assets to secure what initiatives to explore but they don't come up with those those ideas themselves we are the ones that give them those ideas right so we need to make sure that whatever we're giving to them helps us at the end of the day um so the ceso creates that

strategy but they can't create that strategy on their own they have to collaborate with the CEO and the CIO and I think that when and that is one of the elements that we need support from the board the Board needs to say well when you look at the CEO we say as a CEO you're accountable for everything delivery of everything this entire business including whatever risks may come from that we we don't ever abdicate the CEO when we talk about things like regulatory risks in a uncertain Market but yet we you know we don't consider the Cyber and it risks and we need to do that and I feel like the board doesn't give cesos much

attention uh there are special kids in the sea Suite right one of which is like the chief audit executive reports directly to the audit committee and one of the special kids because you get all the attention you get special meetings ahead of time ahead of the board meetings special meetings with uh the audit committee chairperson um but why don't we do the same with this with the Seesaw and maybe it's time to start doing that uh the other aspect is that we know from a king for perspective that you need to ensure that you're managing your cyber security risks but how many times have you ever seen that on a board agenda how many times have we even seen it on a

on a you know EXO agenda right if we don't see it an EXO agenda how do we even expect it to be on a board agenda and it needs to be explicit the moment we start hiding it behind our projects uh our project portfolio or behind the it governance report it starts getting lost so we need to make sure that it's UPF front and up Center and that is something the board should do because the board knows that they're responsible for that um so I mean in that way we start seeing it as a strategic risk and then the right questions are asked another question to consider is how many how many of your strategic risk

registers include cyber security on it and if it's not there you know why is it not there have we interrogated where there really isn't a strategic risk um so in terms of then how do you put together those board reports to make sure that they are that that you are actually putting all that information on that you know I mentioned and that it's there and they can see it one of the things is you know avoid the technicalities so this is more like a summary of everything that I've just mentioned now right avoid the technicality the technicalities and make sure you have the right questions um you're reporting on the right questions and you're reporting on

what matters to the board such as your business risk now measure what matters the board does not care about how many um vulnerabilities you have in the environment and that information comes to the board by the way it comes in the form of audit reports so don't get lost in the detail help them understand what does that audit report mean is there something they really need to be worried about and rather Focus your attention on things like things like the cost per incident the time it takes to respond to the incident what what are the financial imp impacts and make sure we give them enough context so we talk about ransomware for example everyone's scared

of ransomware but what does it mean for the business what does it mean in terms of you know Financial viability what does it mean in terms of sustainability continuity also come prepared with Solutions we need we need the board to understand what we need to do in order to solve our problems so provide the recommendations that we want them to approve provide those actions don't just list problems don't scare them moment you scare them they're they're just going to be closed off they're going to say this is too technical I can't get involved it'll take you so much longer to get anything done because then they're going to want to get independent opinions and all that

it's it's a lot easier to be able to explain it to them um in a way that helps them understand without scaring them and if you can prove the return on investment in cyber security I know a lot of the things I'm saying here is easier said than done because if it was easy everyone would be doing it but revenue and loss is the language of the board if we can report on how cyber security improves that and then we've got them on our side um so this is something I I can't remember where I got most of this information from uh stuff that already exists this is not my you know view of how the sees so's role exists will be in

the future this is something that already exists out there but it's the ceso needs to have a good blend of business and Technical Acumen uh I you know I roll my eyes there's a lot of people that say you can't be a seeso without being a technical person I roll my eyes at that and then a lot of people think it's because I'm not technical but on the other hand you need a ceso who needs to be able to speak the board's language it is very difficult to have a combination of both I was talking to someone earlier and I said you don't need a ciso who knows how to do a pen test right you just need a ceso who

understands that the pent tests need to be done and they need to understand the environment in which to conduct that and what the results mean and how to how to remediate that um we should have a dedicated cyber security committee we have been having it stearing committees for a long long time um and we didn't always have an IT steering committee and the reason we needed it was because we needed some level of governance to ensure that we were um looking at it holistically and making sure that whatever it is doing is supporting the business strategy so why not have a dedicated cyber security committee does anyone actually have that in their organization a cyber security

committee similar to like it sto well done I'll be interested to find out how you guys do this but like one or two people out of the entire room we need to we need to to start with that if we can have a cyber security committee then we would get the same level of reporting that we get on the it security side um that goes all the way to the board and remember on the it steering committee is uh you know made up of members of business right the the consumers of it and they give the CIO a very hard time because you know it's it's as if they're paying for a service and they want that

service but the same thing with cyber security we need to be able to say we're here to help you secure your business your data so come in and tell us what we're not doing or what more you need from us and let's start working together to do that um we keep talking about a a cyber security skills shortage there's really no shortage it's just you know a lot of people want you know their security analyst to be present and onsite and they don't want to consider things like remote working so the moment we start looking at Alternatives in terms of how we manage our staff we started realizing that we have a a large pool of talent to

Source from right where a lot of the younger kids they don't want to come into the office but you could also broaden outside of you know the borders of South afca um also look at the way that we manage our staff and upskill our staff and um get people who don't really have this in the the foundational level knowledge and how do we help them improve that um we need to start partnering with other departments we need to do be better at that so when I spoke about like the It steering committee one of the the the whole point of I having an IT strategy is to make sure that that strategy is aligned to the business

strategy part of the role of an IT steering committee is to make sure that they know what they need from you so if we go to key areas in the business that cyber attacks could impact that would be things like your sales department Finance marketing find out what do they need from you and um make those those Partnerships so if you as a ceso don't have that seat at the board guess who is your voice in that room when you're not there it's these guys um and we we need to expand to include threats in the in the physical world too so it's not just in the Cyber realm but how does it affect things like

our supply chain and then also I think it's time that cesos actually have a real seat at the board and that's me thank you guys

hey

hi yeah that's always the question I get asked um to be honest the answer is I don't know and it is something that you do Case by case the easiest example that I can think of is um we we have you don't always need to have a a monetary value right the the monetary value I gave is just an example so we can use that in terms of things like fines we can we can quantify that um in terms of other other incidents you know in in areas in Industries like Finance insurance or Industries where there's real-time transactions happening all the time when Whenever there is loss of um business operation um like let's say something

goes down and you cannot you cannot take take transactions for like two hours the the risk department will usually do something like a it's a loss calculation so they will say this is our Revenue that we are supposed to we would have we were supposed to have received within those two hours and that is your loss calculation so I think that's why it's good to partner with various other people in the business because if you go to your risk department and they have the ability to say how do they quantify any incident that affects business continuity then you could use the same sort of calculation in doing that for any any other incident that you have

that would affect you know any specific um function within your organization but we don't have to so so what I'm saying is we have the ability we can do it if it's possible let's explore it and then U and then write that down I was busy with an exercise recently for Disaster Recovery as well because if you look at Disaster Recovery you don't you don't need an entire Dr you know environment for your production environment but so what is it that you need like what are you know which functions do you really need in a disaster situation in order to run and and then part of that is then how much would that cost so

before we even get to that cost let's look at why do we need that Dr solution so how much are we will you know so if you'd say that if this specific environment is down for an hour is that a good enough and and and what is the amount the value at risk what is the revenue that we are losing in that time is that value sufficient enough for us to create an entire Dr environment for that or is there another solution that we need to look at so there are ways to do it and then if we don't you don't have to always look at the monetary value we can go um you know things like

you know our reputational risk or the risk to the community or what does it mean like there are other things but in what I'm seeing now is that we so desensitized to uh breaches because it happens all the time and even me at some point I used to be quite angry Whenever there was a breach and whenever there was you know I'd call it negligence but right now I think I'm a lot more sympathetic because we seem to accept that it is going to happen despite our best efforts but that shouldn't you know then prevent us from not doing anything at all so but a lot of times I know that the the business counterparts will say

things like why is a why would you rate a uh cyber secur is a high risk or a breach as a high risk a data leak or whatever because all our data is already out there so we need to find another way if they if that is already the you know the the perception that they have that it's not a huge risk that what is what what else are they worried about and that's where we can focus on the the financial aspect cool I think that's that's it then all right thank you guys