How to avoid security being too little, too late
October 19, 2020
We all know Board members have a lot on their minds. Between the explosion in technological change and innovation, a global pandemic and navigating economic crises, they could be forgiven for not keeping up with the latest and greatest in cybersecurity. And yet, when it comes to being vigilant about risks to the business, responsible boards and directors need to keep their eyes firmly on the security prize. In short, in a sea of urgent issues, security is a priority and needs the scrutiny of every Board member—up close and personal.
Our world is being digitized and connected. From cars and medical devices to oil and gas infrastructure or industrial plants, the list of what’s online, anytime grows longer every day. Combine that explosion of innovation with the demands of understanding and implementing technologies such as artificial intelligence (AI), advanced analytics and machine learning to remain competitive and there are some serious challenges facing any business’ most senior leaders.
Being better able to assess risk helps. But many in the C-suite are not clear how to balance risk with staying competitive, or have a clear strategy about building risk into their overarching security strategy. In the shape-shifting world of cybersecurity, risk is its own chameleon. Our 2020 State of Cyber Resilience study found that attackers have already moved on from direct attacks to targets, such as vendors and other third parties, in the supply chain. Indirect attacks against weak links in the supply chain now account for a considerable 40 percent of security breaches.
A topic I have talked about in the past that continues to have its day in the sun is ransomware. Aided by the explosion in connected devices, thanks in part to the Internet of Things, and new vulnerabilities from the migration to remote working that has resulted from the COVID-19 crisis, bad actors are successfully using ransomware and phishing in new and sophisticated ways. Game-changing ransomware attacks, such as the Maze threat, mean a name-and-shame technique has gained momentum that calls into question the cost versus disruption debate. Some Boards may be finding it easier to simply pay up.
Let’s not forget the role that trust plays in all this, too, especially when it comes to protecting valuable data. Accenture research estimates the difference in revenue growth rates between losing and earning employee trust through the use of workforce data is as much as 12.5 percent, or US$3.1 trillion globally—and that doesn’t include trust breaches outside the organization, with consumers and stakeholders, such as investors.
As the Global Quality and Risk officer at Accenture Security, I am responsible for not only identifying, assessing and managing risk and the quality of security services, but also for liaising with our Board. I frequently act as a trusted C-level advisor for Accenture clients and not too long ago participated in a panel on the topic of AI. During the session, what surprised me most was that probably 50 or 60 directors—super-smart, senior people—admitted they really didn’t know what AI is going to mean to their organization from a risk perspective.
I believe underestimating risk puts revenue, reputation, competitive standing and even survival at stake. What other business case do we need to illustrate how necessary it is for the C-suite and Boards to get more involved with security today?
<<< Start >>>
… What surprised me most was that probably 50 or 60 directors—super-smart, senior people—admitted they really didn’t know what AI is going to mean to their organization from a risk perspective.
<<< End >>>
Technology, security and cyber criminals are all evolving, some faster than others. So, it’s important to evolve and educate your organization at every level. Here’s a couple of ways that Boards can provide a firm cybersecurity foundation for their organizations today:
Encourage diversification. The importance of adding people to the Board with specific skills in cybersecurity and/or people who come from a technology background cannot be overstated. We should recognize that, today, many directors and Board members come from a certain generation and, although they may be brilliant when it comes to business strategy, security demands were different “back in the day”. Blockchain, quantum computing, 5G, and the fact that AI requires so much sensitive data mean the game has shifted—to demand new skills and thinking.
Introduce independent thinking. Employ the impartiality of a third party to help you understand what you are facing, and what to do about it. Even if your in-house team is saying, “We’ve got this,” it’s better to verify that independently and make sure you are putting security first. For example, external “white hat” teams can test defenses, and some organizations offer safe lab environments that replicate a company’s IT and cyber defense environment. It means your company can test potential security solutions in real-world situations.
Every Board has a responsibility not only to watch its own back, but also calculate risk across its broader ecosystem. When it comes to security, let’s make sure the response to that risk isn’t too little, too late.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
The reproduction and distribution of this material is forbidden without express written permission from Accenture. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this document. This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative.
Copyright © 2020 Accenture.
All rights reserved. Accenture and its logo are registered trademarks.