Organisations require a team effort to adequately protect themselves against cyber-risks, more now than ever. Phil Venables, CISO, Google Cloud, observes the role of the board in cyber-risk management and assesses the principles it should adopt to ensure the company is prepared to deal with emerging and cybersecurity threats.
Cyber risk has become a major threat to companies in the Middle East. Indeed, cyberattacks can cause financial, reputational and even physical damage. For this reason, the board’s role in cyber-risk management has become increasingly important.
As a board member and CISO, I often discuss cybersecurity and technology risks with executives from companies in all sectors. In these contexts, it is clear how cybersecurity is a major issue for any organisation.
For this reason, we at Google Cloud felt it appropriate to share our perspective on how the board can best address cybersecurity and cyber-risk in general, as well as how to take a more proactive role in these areas, now and in the future.
The board of directors is responsible for ensuring that the company is effectively prepared for cyber threats. This means that they must keep abreast of the latest trends and best practices in cybersecurity. The board must also work closely with the CISO (Chief Information Security Officer) and other business leaders to ensure that the company is adequately protected.
There are three basic principles that the board of directors should adopt to effectively manage cyber-risk:
- Get educated: The board must ensure that cyber-risk is always included in operational and strategic discussions and organisational decisions. This means having a good understanding of the impact that cybersecurity has on risk management and resilience frameworks. The board should also be up to date on the main cyber threats in the current landscape and emerging technologies that could present new opportunities for attack.
- Be engaged: The board needs to build better relationships with the CISO, other business leaders and key stakeholders to understand critical issues and resource needs, ensuring that this risk is treated as a priority for all executives, not just the cybersecurity team. The board of directors should also work closely with the CISO to define cybersecurity roles and responsibilities within the company.
- Stay informed: The board should stay in touch with external organisations so that it is always informed of the latest trends and practices in cybersecurity. This could include attending conferences and seminars, collaborating with other companies and joining industry working groups and organisations.
In 2022, Mandiant, now part of Google Cloud, helped over 1,800 customers prepare for or recover from the most critical cybersecurity incidents. Through this direct involvement, our experts were able to detect and gain more intelligence than anyone else: more zero-day vulnerabilities; more threat groups; more supply chain compromises; and more extortion tactics aimed at damaging companies’ reputations. Mandiant also observed unprecedented developments, such as the prominent role played by cyber operations in the war.
The threat landscape remains dynamic and complex and we expect these trends to continue throughout 2023 and beyond.
At the same time, we have noted several positive trends for cybersecurity. First, cybersecurity leaders believe that the modernisation of the cloud offers better opportunities for security improvements than local infrastructure, including a significant change in detection and response capabilities. Secondly, active frontline defenders are increasingly making progress in reducing the time it takes for organisations to discover a compromise and implement related protections. Shortening this timeframe means significantly raising the overall level of IT security.
When boards consider these trends, they must understand the link between threat intelligence and risk mitigation.
The board should work closely with the CISO to adopt a three-tiered approach to protect, scale and evolve, including when it comes to modern AI technologies. This approach should include establishing policies and procedures for the use of AI technologies, assessing risk and establishing appropriate security measures.
It should work with the CISO to understand the connection between threat intelligence and risk mitigation and how to bring external cybersecurity partners to the table to help translate frontline intelligence into useful information. This could include working with cybersecurity service providers, threat intelligence organisations and other companies in the industry.
In summary, the board plays a crucial role in cyber-risk management. By adopting the basic principles of being aware, involved and informed, the board can ensure that the company is adequately protected against cyber threats.
By working synergistically, closely with the CISO and other business leaders, the board can ensure that the company is prepared to deal with emerging and cybersecurity and AI-related threats.
