Boards of Directors overseeing many businesses like to stress that they encourage operations that have low-risk levels for the organisation. So that they can reassure investors and others that the risk to their capital investments is minimal. A recent article on Dark Reading titled How Boards Can Set Enforceable Cyber Risk Tolerance Levels discusses the trade-offs many businesses face when balancing risk levels against cybersecurity best practices and business growth.

In the rapidly changing business environment, there are always pressures for IT systems to grow and adapt quickly to support growing revenue-generating services. As we all know from experience, rapidly expanding IT provision to support business growth is not always aligned with robust cybersecurity. How can Boards ensure that their CEO, CFO, CISO, CSO and others in day-to-day leadership positions make decisions that enable good cybersecurity to be maintained when change is rapid?

Some Comments on the IO World Asia Article

Ensure that C-Suite Cybersecurity Leads have Authority

The CEO and leadership in a business typically get tasked to deliver revenue growth and profits. Often this can be in conflict with the need for good cybersecurity practices, as the latter can act as a brake on business decision-making. If a Board of Directors is serious about minimising risk, then the CISO and CSO in a business need to have the authority to prevent risky activities that undermine security. Even if these temporarily impact the bottom line, the CISO and CSO should be able to delay projects that weaken cybersecurity until they get done in a way that benefits the business without diluting security.

Be Willing to Wait before Implanting New Business Initiatives

Sometimes the requirements to deliver a low-risk and highly secure change to systems to support a new business project will take time to plan and implement. The Board needs to be willing to listen to the arguments from the C-Suite and err on the side of caution if the CISO and CSO are requesting time to implement secure change. This is essential if the Board is genuinely operating a low-risk organisation.

Nothing is Ever That Simple

A Board saying that their organisation is low-risk and then delegating authority to the C-Suite to operate within this low-risk culture is a nice ideal, but things are never that simple in the real world. The business landscape is very dynamic, and C-Suite business leaders have revenue and profit targets to deliver. There will always be pressure on the CEO and CFO to take risks.

Reducing this risk without slowing business decisions too much will always be a trade-off between C-Suite members, irrespective of the Board directives. Often the outcomes will be based on the relationships between business and technology leadership. If the CISO is a trusted part of the team who doesn’t ‘cry wolf’ at every change, then when they do raise concerns, they are more likely to get outcomes that are beneficial for everyone.

Final Thoughts

As is true for almost everything in business, the low-risk organisation is a theoretical ideal. One that is nice to consider, but for actual businesses, there will always be trade-offs that balance business decisions against their risk. In many cases, the business change that an organisation is considering will have quantifiable risk attached. This risk, or one very similar, will likely have been encountered before by another organisation.

Halodata works with multiple vendors, security partners, and businesses. Experience from work across this landscape will likely include projects very similar to any a modern enterprise is contemplating. By tapping into this experience, solutions to reduce the risk associated with a business change are usually obtainable. A solution that often reduces the time to market for the business project without decreasing security.