"We were surprised because you don't expect something like this to happen," the COO of the largest containership company in the world was quoted as saying when their computer systems were rendered inoperable by a cybercrime-generated computer malware in late June. This happened despite the company management and board's extensive efforts to protect the company from just such an event.
Unfortunately, this scenario haunts many directors. Nearly 60% of directors find it challenging to oversee cyber risk, according to the National Association of Corporate Director s(NACD) 2016-2017 Public Company Governance Survey. Cyber risk also was ranked as the top risk for boards in the 2016 Board Practices Report by Deloitte's Center for Board Effectiveness and the Society for Corporate Governance.
There are, however, practical, actionable steps to ensure that when a cyberattack hits, your company will be both ready to address the threat and resilient enough to recover from it.
Technology has moved from an enabler to a core business imperative in virtually every organization because of technology's pervasive presence in processes, customer delivery and communication protocols. Cyber risk has moved from the IT department to a full-fledged enterprise risk.
Leveraging a flexible and uncluttered framework--what we call "The 5 Rs"--is key. Understanding cybersecurity issues will support the board's governance obligations, propel innovation, protect reputations and enhance financial performance. For cyber risk, it is possible to follow the old adage "nose in, fingers out" from a board governance perspective.
The 5 Rs framework represents a straight-forward and easy-to-remember approach for board oversight.
Readiness: The implementation of foundational cybersecurity practices, often called cyberhygiene--policies, assessment, training--points to an organization's overall state of cyber preparedness.
Resilience: A cyber incident is not a matter Of "if," but "when." Ensuring the organization can operate through and recover from an event is essential.
Resources: The availability and allocation of human, financial and technological resources are critical inputs that must be deployed in a balanced manner.
Reporting: Clear, consistent, jargon-free reporting supports board engagement and awareness on cybersecurity topics.
Results: Driving results means answering the question, "What does success look like?" A clear vision will guide, motivate and inspire.