Organizations and their boards must treat cyber risk as an enterprise-wide issue to help foster a culture in which every person and every department understands it has a role to play in making the organization as cyber-secure as possible, corporate director Susan Wolburgh Jenah suggested Thursday.
The bigger concern as a board member revolves around a culture gap within organizations, Wolburgh Jenah said during the panel discussion, The Governance Gap: Going Behind the Scenes, at the 2017 International Cyber Risk Management Conference (ICRMC) in Toronto.
“Do you have consensus in that organization that cyber security is everybody’s issue?” she asked.
Additionally, there needs to be a consistent view of what the risks are when it comes to cyber, she noted at the conference.
“If you’ve got a culture that says it’s the IT guy’s problem, or you have a culture where the IT guy and the CIO don’t agree on what the big problems are, or you have situations where the business units don’t agree with the CIO what the biggest risks are,” Wolburgh Jenah said, then “that gap is going to be more problematic for the organization than any governance gap that you might describe as a matter of having the right skillset on the board.”
The job at the board level is “really to try to promote that kind of culture that says cyber security is everyone’s issue. It’s an enterprise-wide risk; it’s something we should be talking about at the risk committee, it’s something we should be focused on as a matter of the business units, IT, legal, compliance,” she said.
Corporate Director Susan Wolburgh Jenah
“Everybody needs to bring their skills to the table to ensure that the posture of the organization is as cyber-secure as possible,” Wolburgh Jenah (pictured right) emphasized.
The issue is not so much about a lack of cyber focus, action or expertise at the board level, she suggested.
“From my perspective, and my experience is that we have come very far in a short period of time. If I think back six, seven years ago, people weren’t talking about cyber security. It really wasn’t even part of the lexicon,” Wolburgh Jenah said.
Now, the issue is “on the agenda of every board meeting, people are talking about it, different companies, obviously, are addressing it differently,” she said.
“I think where there is a gap is, obviously, in terms of the level of preparedness within certain companies versus others,” she noted.
“The good news is that if there is a gap, it’s not an awareness gap. I think everybody is hyper-aware of cyber as an issue,” Brian O’Donnell, a panel member and executive in residence for the Global Risk Institute, told conference attendees.
“We’re moving from awareness to knowledge and participation. I think that’s a good thing,” O’Donnell said.
David Bruyea, SVP and CISO, CIBC Technology
“It used to be the case where, for example, people like me wouldn’t even get access to the board,” David Bruyea (pictured left), a panel member and senior vice president and chief information security officer for CIBC Technology, pointed out.
The board would always be accessed “through the CIO or some other senior management person that would attempt to describe the problem to the board on an ongoing basis,” Bruyea told attendees.
“I think what we’ve seen in the last little while is an evolution where I get direct access to the board and they want to speak directly to the practitioners in the organization about what progress we’re making and how we’re managing the threat landscape on an ongoing basis,” he explained.
Another important evolution, at least for CIBC, has been the move away from a very controls-oriented posture “to something a lot more realistic in terms of being more resilient as opposed to being more controls-oriented.”
“I think it’s fantastic that people like you are having that access, because it’s really important to be hearing from the folks that are responsible for the program, the progress that they’re making,” Wolburgh Jenah said.
Regardless of size, it must be made clear that no organization is immune, she emphasized. “The trouble with being small and thinking that you don’t have to pay attention to it is that, in today’s world, the technology interface is getting larger and larger,” she added.
Given how interconnected things are, including business functions, every organization needs to be concerned “as to who is the weakest link in that chain. It may be the folks that are doing all the preparation; it could be somebody that you wouldn’t expect,” she continued.
“I would put this in the category of a complex risk that’s evolving. It’s evolving from a technology perspective,” O’Donnell (pictured right) told attendees.
“Therefore, I think it has to evolve also from the way the risk framework integrates it as well,” he added.
“This is the world we live in; it’s the reality we face,” Wolburgh Jenah said. “We’ll get better at some of the defensive postures, we’ll get better at what to do when there is an attack,” she said.
“But the one thing I think we have to get our minds around as board members and as management is that it can’t be about trying to completely insulate the company from any risk of this happening,” she noted.
“If your mindset is we must absolutely prevent any incident, I think we’re starting from the wrong premise,” Wolburgh Jenah argued.
“I think you want to be as careful and diligent as you can to ensure that you have robust measures in place to try to do that, but I think you also have to be aware that there is a risk tolerance issue out there,” she added.
More coverage of the 2017 International Cyber Risk Management Conference