Business leaders and cyber experts can defeat online threats – but only if they work together

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Dr José Viñals, Group Chairman, Standard Chartered Bank, Darren Argyle, Group Chief Information Security Risk Officer, Standard Chartered Bank

• Honest communication between board members and information officers is critical to good cybersecurity.
• Cyber experts must relay their insights through non-technical storytelling and make a pertinent business case.
• Business leaders should aim for a cyber-aware culture permeating an entire organization.

Against a backdrop of escalating geopolitical tensions, the rise of hybrid working and the demand from employees to stay connected anytime, anywhere, organizations are facing a particularly challenging task in managing their cyber risks.

For banks, this means that the traditional three lines of defence model of risk management is coming under as much pressure as it ever has: The first line means the Chief Information Security Officer (CISO) owns and manages risk; the second line means the Chief Information Security Risk Officer (CISRO) provides challenge and oversight; and the third line offers independent assurance. Given the interconnectedness of the financial sector, and its status as a target for threat actors, it is critical that we continually seek to enhance our resilience and ensure the sustainability of our controls.

Engagement between the chairman of the board and the CISRO is thus important, as the latter needs to provide confidence to the former that the organization is appropriately managing its cyber risk. Despite its rising importance, however, many board directors still find cybersecurity a complex topic that sits outside of their experiences. Honest and regular communication between the two can help bridge this gap.

Break down complex concepts

CISROs and their leadership teams can help by storytelling: breaking down complicated cybersecurity concepts into bite-sized updates, such as providing governance papers and briefing notes that convey the relevance to the business of risk reduction initiatives or regulatory changes.

Inherent in cybersecurity is a certain level of technicality and complexity, but it is crucial that cyber leaders communicate with impact and influence, and harness the ability to translate the technical into the understandable, so that board directors are able to question with insight and perform their role more effectively.

There are practical steps to help nudge governance committee members into engaging more effectively with cyber risk. For example, creating repeatable templates that can be used for paper submissions; developing headline messages that can be amended and updated for each session; and also asking questions in plain English: “What went well?”, “What could have gone better?” and “What are the business implications?”

Though this can be a challenge for those immersed in directly addressing complex technical challenges in the business, providing this strategic view allows board members to use their experience as business leaders to interrogate cyber using knowledge from other risk types.

Help boards develop a strategic understanding

To enable boards to ask stretching, hard-hitting questions, tailored awareness sessions can allow them to effectively understand business implications, risk appetite metrics and risk reduction goals. And while internal expertise will produce business relevant materials and scenarios, insights from external sources – whether industry round tables, or an expert “cyber advisor” – are crucial for maintaining knowledge of best practice and norms.

Aligned to the refreshed WEF’s Principles for Board Governance of Cyber Risk, Standard Chartered has in recent years made use of a regular internal forum for board directors to undertake guided discussions on topical aspects of cyber risk. Creating an environment in which the key stakeholders across the three lines of defence are present and in which all questions are welcomed, and facilitated by an experienced cyber expert, the forum has proved an effective way to build board expertise, complemented by a broader array of engagement and awareness activity.

A blended approach is taken to these programmes: strategic andlong-term rather than reactive in outlook, focusing on broader technological and business-relevant developments while also referencing recent high-profile breaches or incidents in the sector and third parties, which are often already on the radar of board members.

Build a strong risk culture

Outside of these formal interactions, cyber leaders must be thoughtful and conscious leaders in the business, and push to create a cyber-aware culture within the organization.

A strong culture allows senior business leaders to move away from merely “setting the tone from the top”, instead inculcating a cyber risk-conscious mindset to a receptive organization that no longer needs to be persuaded of the importance of cybersecurity. This helps to naturally build cyber risk into daily thinking and actions. Embedding this way of thinking from the bottom up, complementing the top-down messaging, will bolster the cyber resilience of organizations in the long-term.

Ultimately, it is important that a constructive, challenging relationship exists. For the CISRO, communication to the board needs to be transparent, tailored and translatable. Achievements and failures must be described in an accurate and balanced, business-focused way. Reports to the board must be tailored for the specific forum and context; and reports should offer the “So what?”, linking risks to the overall goals of the business. For banks and those in the financial services sector, ensuring the regulatory angle is well-covered is also key.

Discover

What is the World Economic Forum doing on cybersecurity?

The World Economic Forum’s Centre for Cybersecurity drives global action to address systemic cybersecurity challenges and improve digital trust. It is an independent and impartial platform fostering collaboration on cybersecurity in the public and private sectors.

• Salesforce, Fortinet and the Global Cyber Alliance, in partnership with the Forum, are delivering free and globally accessible training to a new generation of cybersecurity experts.
• The Forum, in collaboration with the University of Oxford – Oxford Martin School, Palo Alto Networks, Mastercard, KPMG, Europol, European Network and Information Security Agency, and the US National Institute of Standards and Technology, is identifying future global risks from next-generation technology.
• The Forum has improved cyber resilience in aviation while working with Deloitte and more than 50 other companies and international organizations.
• The Forum is bringing together leaders from more than 50 businesses, governments, civil society and academia to develop a clear and coherent cybersecurity vision for the electricity industry.
• The Council on the Connected World agreed on IoT security requirements for consumer-facing devices to protect them from cybers threats, calling on the world’s biggest manufacturers and vendors to take action for better IoT security.
• The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace, which aims to ensure global digital peace and security.

Contact us for more information on how to get involved.

For the chair, the key is to approach the topic with curiosity. This ability helps continue the honest conversation, build understanding of cyber concepts and focus areas, whilst pushing cyber teams to remain committed to appropriately managing the risk. Bringing all of this together should be a compelling strategic vision for cybersecurity, which will set both the long-term direction and short-term priorities for the organization. The chair and CISRO can then ensure that this is aligned to business needs, positioning cybersecurity as integral to future success.