778 views
City A.M. Talk What is this?

Why cybersecurity needs more attention from business leaders

Ken Finnegan
TOPSHOT-RUSSIA-HACKING-INVESTIGATION-INTERNET-POLITICS
Cybercrime is one the rise but many firms still have no formal security strategy. (Source: Getty)

As businesses have become more dependent on technology, their exposure to cybersecurity threats increases – driving a need for boards and senior management to understand the risks.

Cybercrime has grown so much that the Office for National Statistics (ONS) recently began including it in official figures. In 2016, a report from the National Crime Agency found that computer-enabled crime and fraud accounts for a higher proportion of total UK crime than all other forms of crime.

The Cybersecurity Disclosure Act introduced in the US Senate in late March, would force publicly traded companies to disclose to regulators whether there is cybersecurity expertise on the board.

Strategy gap

A 2017 cybersecurity policy report from the Institute of Directors included a survey of more than 800 business leaders. The report found that 95 per cent consider cyber security ‘very important’ or ‘quite important’ to their business, but almost half of them have no formal security strategy.

Board responsibility

Four out of ten IoD members said they would not know who to contact if they suffered a serious security incident, which suggests that cybercrime is not getting sufficient attention among senior management. “While a company’s tech team is clearly best equipped to deal with an issue should it arise, the strategy guiding them falls to the board to dictate,” the report said.

A virtual solution

Aware of this shortcoming, some organisations are looking to meet this gap with a ‘virtual’ chief information officer (CISO). They are experienced security industry professionals who work with the company on a part-time consultancy basis, saving the effort and expense of having to recruit for a full-time post.

A virtual CISO’s remit is to brief a board on cybersecurity and to drive a strategy specifically addressing that organisation’s most pressing technology-related risks.

Brian Honan, an internationally regarded independent security consultant, says: "They help the company define a strategy, implement it, run it and manage it, or supplement and augment the existing team that’s there already.”

Related articles