Balancing Cyber Risk & Reward at Board Level

The challenge of balancing cyber risk vs market reward is a perennial debate at the C level suite and around the wider boardroom.

Not so long ago, the topics of digital and cyber security were viewed as abstract subject matter and often outsourced to specialists, or even relatively junior staff working in internal delivery and support teams. This approach, however, simply won’t have currency over the years ahead. Recent high profile cases, including the Hilton group, British Airways and Facebook, all illustrate that yesterday’s attitudes to cyber security are not enough to make  a digital business fit for tomorrow.

    Now, board members and senior managers will be front and centre of digital cyber security and risks. After all, it’s inevitably the non-technical CEO who is tasked with taking to the airways to explain the reasons behind the cyber breaches, and their impact on customers, business and the wider community.

Now boards and leaders will be compelled to take an active role in the risk and reward considerations inherent with digital decision making around cyber security.

So if the shoe fits –  what will the future look like?

Advice in dealing with cyber security, though well documented, doesn’t offer a ‘one size fits all’ answer –   sometimes it can even be a paradox. The challenge for digital leaders lies in balancing the approach of ‘increase your risk appetite to remain competitive’ versus ‘you need to reduce your risk footprint’.

Here I must apologise for having no absolute answer or recommendation. It’s a little bit like Brexit,  there’s no right or wrong answer, only guiding principles. However, it’s just these principle that can will help individuals identify the level of risk they feel comfortable with accepting and managing on a day-to-day basis.

However, I’d hate to sound like a ‘cop out’,  so what I’ll offer is a perspective based on some wider market observations. Hopefully these will provide some indications of market trends and the headwinds that’ll prevail in these increasingly critical times. This may provide a framework to arrive at an intuitive fit that you feel personally comfortable with.

As a first observation – and at the risk of stating the obvious – if its not on your radar already, then cyber security is a key area for all senior leaders. I say again – cyber security matters. It’s probably the number one threat to your business and potential brand damage. 
The 2018 CIO survey* highlights two board level key areas of focus; Cyber Security and Digital Transformation. So if nothing else is retained from this article, just ensure that you’re personally actively involved in this area – and this warning covers all senior directors – technical or non technical ! The business leaders who increasingly appreciate, articulate and directly support their teams in terms of action-time, effort and spend will undoubtedly deliver more long-term value.  After all, you want your organisation to digitally innovate without opening up the increased risks associated with cyber infiltration.

As adoption of digital methods, new ways of working and technology practices continue to evolve, it’s not surprising that the topics of digital transformation and cyber security now both firmly sit with the board and not with externals or buried deep in the internal machinations of the business. A 2016 survey** highlighted that 85% of business stakeholders avoided engaging with security as part of digital transformation initiatives. While the recent high profile data breaches and issues surrounding cyber security have undoubtedly dented this 85% I doubt if its dropped below 50% ! Even today this statistic seems incredulous, given that large scale digital change has so much potential to impact on an organisation’s security position. Thankfully, if one thing has changed its the collective awareness around the damage these breaches bring and the stealth manner in which they can appear. As some early sign of  maturity risk is finally being considered alongside market rewards . Some would say this is inevitable due to high profile data breaches and the potential of negative press and brand damage. But perhaps this is indicative of wider fundamental structural changes.

There is one clear area where progress must be delivered and that is in building the correct digital discipline and approach methodology while balancing the challenge on how to do this without slowing the pace of innovation and change.

In the absence of us all becoming digital cyber specialists, it’s obvious that clear mission critical objective information is required to provide a framework in which business leaders remain fully informed, able to balance commercial imperative balanced with security intervention. Informed decisions in this complex fields of work are not going to get easier, if anything they are going to become even more challenging from a legislative and morale perspective.

So given the inherent hazards in this landscape what is a recommended or suggested approach. Historically the anws has been to provide corporate deflection and assurance from a top 5,  tier 1 external consultancy. This however has proven to be flawed as reputational damage in other areas has impacted on this insurance policy. So now the challenge is firmly an internal one to be resolved with the right external advice challenging the internal perspective and approach. Senior directors will need to take direct accountability and responsibility supported by an internal team that is challenged by external digital rigour.    

If your organisation is still torn (like some Dr Doolittle ‘push-me-pull-you’) between the best balance of risk and reward, perhaps it’s time to determine, even perhaps formally qualify and declare  your risk appetite? Then when this risk appetite has been qualified take time to isolate projects outside of business critical BAU. This will then allow the business to test and learn with impact analysis on the risk and elements that you can control. This approach provides momentum and allows digital and cyber security to be controlled like experiments in a petri dish.

Digital innovation and cyber security are here to stay and will only grow in prevalence. A challenge some will relish and others – dread. Balancing opportunity and security at the top table is here to stay, so let’s embrace it. Getting the balance right will open more market opportunities and provide a platform of internal digital rigour that encourages and fosters confident ownership of the cyber security issues facing us all.  

*Harvey Nash / KPMG CIO Survey 2018
** DELL Digital transformation security survey 2016