How do you help the board get to grips with cyber risk and exposure?
That was the main question in a highly informative panel discussion on cyber governance at the Technology Academy Day.
Airmic surveys and a roundtable earlier this year identified cyber as an issue that companies are finding difficult to resolve, whilst the increasing reliance on data demands a different approach to governance.
But where do you begin? Camilla Kampmann a non-executive director on the board of AIG Europe with considerable experience in the technology sector set out a clear approach: identify your 'crown jewels', that is to say the data and applications that are really important to the organisation. You cannot give your full attention to every aspect of your operations, so you must prioritise.
At AIG claims systems are a top priority, she said, as they affect clients. The security of sensitive data is another area that demands full attention.
She also recommended drawing up a kill list, essentially legacy systems that you are not using - what she called "the dark side of IT". They typically use old technology and are therefore easier penetrate. "These systems need to go," she said.
Eleni Petros of Marsh said that not all companies take the 'crown jewel' approach. Boards are often of a generation that treats financial risk very seriously but does not really understand cyber issues. How many companies still regard cyber-security as an IT issue, she asked.
Every board, she said, should have at least one member with the necessary skills. They need to identify the key areas of liability and appoint the necessary internal and external expertise. She urged companies to instil a culture so that big cyber-incidents get the attention of the board. She also stressed the need to be able to demonstrate the necessary governance.
Dr Jamie Saunders, a strategic security consultant and visiting professor at UCL, came at the subject with some practical questions. How are you exposed to events in your supply chain? Who is liable? Who can you sue? How will their policies respond?
He said control frameworks and risk registers need to be broad, and it was essential for business to understand the risk environment in which they operate. Think cyber-risk when outsourcing and ensure there are crisis management plans in place.
In the Q&A session that followed there was an interesting discussion about ISO 27001, the standard that covers information security management systems. Panellists criticised it for being too narrow and yet, conversely, trying to protect everything. Nonetheless, as a member of the audience pointed out, it is often demanded of contractors. Without certification of this ISO standard, they will not get the work.
By way of summary, the panel chair Seamus Gillen emphasised three key take-away points: keep the board informed; be able to provide evidence of your cyber-governance, especially when things go wrong; and ensure that your cyber-governance is appropriate for the organisation.
We can expect to hear a lot more of this subject.
Related reading: