Companies today face an expanded cybersecurity footprint as the ongoing pandemic requires more applications to be moved to the cloud. Hybrid work is also becoming the norm amidst sporadic lockdowns being enforced when community outbreaks arise.
Never before has the ability to assess and manage risks posed by threat actors been so essential, but companies across Asia Pacific have varying levels of maturity in putting together a cybersecurity strategy and executing programs that ensure a robust security posture.
“Industries that are tightly regulated are much better prepared to manage risk – whether it's a business risk or cyber risk – because regulators make them good at doing it. For companies that are not regulated, they have a very different understanding of what risk is and how they should protect against risk,” said Ben King, vice president of customer trust at Okta.
For these companies in unregulated industries, King pointed out that the first order of the day is to establish their risk appetite.
“A discussion about risk appetite is the bread and butter of working in a large bank. Banks are very aware of what their appetite is, and where they can play within appetite and what they definitely can't do outside of appetite, because their regulators will tell them exactly where their appetite is. But in an unregulated industry, it's very hard to say, ‘let's talk about risk and how we manage risk’.”
Ben King
He added that if an organisation does not know its risk appetite, it cannot define its risk target. And this makes it difficult for a company to allocate limited cybersecurity resources.
“They might have 20 risks to solve but only enough resources to solve three or four. Without establishing what are the rules of that discussion, how are they supposed to prioritise where to invest? It is a very difficult problem,” said King.
Two-way communication
King stressed an open line of communication must always exist between the CISO and the board so they can discuss cyber risk regularly.
“It's a two-way street, you need someone who has a story to tell, and you need someone interested in listening to that story. You need a CISO who's in touch with the board and the business and understands what's important. A CISO who understands they're there to enable the business. Not to throttle or stop or be the Department of No. But someone who understands why the business exists and how we secure that process.”
At the other end of the table, King noted many board members have a good understanding of business risks, but they lack knowledge of technical and cyber risks. He said a company needs to have at least one board member who is “security-minded”.
“Or there needs to be a subcommittee like a Risk and Audit Committee, which focuses on risk as well as cybersecurity risk. So, if we have someone who has a story to tell, and a board who is interested, or a committee who’s interested in hearing that story, then we can start having a discussion.”
One advice that King gives to CISOs when they appear before the board is to keep their reporting consistent and standardised.
“This will help board members, who aren’t necessarily technologists or cybersecurity professionals, get a sense of continuity of the discussion – because the landscape is changing and will change faster, the risks are changing and will change faster.”
“And organisations' reason for being probably won't change, but their strategy to execute will change. And so, a strategy to create a security program to protect and enable the business will change over time. So, to talk about the risks to the business, in that sense, obviously needs to evolve. But to keep people involved in that story, the reporting story or the metrics should be consistent.”
To make the discussion fruitful, King added that the company must understand where they are, and where they are going with a program of work to get there.
Making the risks real
Getting an organisation’s board members invested in assessing and managing cybersecurity risks is no easy task, especially when these senior executives have other pressing business concerns calling out for their attention.
In their conversation with the board, King urged CISOs to bring risk scenarios to life through tabletop exercises and roleplay simulations.
“Many organisations tabletop a scenario and have a roleplay exercise. For example, we’ve got 10 million customer records. We might have a GDPR concern or a local privacy regulation concern. We've got concerns with our customers – with losing trust in the marketplace, and the share price might be dipping.”
“When you are doing a tabletop, an important factor is who you bring into that conversation. So do you bring in the CEO, do you bring in a board member to talk about your response… I think table-topping and role-playing with all the relevant stakeholders, including board members are very important to generate that interest. So that they're not blindly accepting security risk or funding a program but they're thinking about risk and consequence,” King said.
He added: “Certainly, security's job isn't to get everything funded. It's to enable decision-makers to make an informed decision with appropriate knowledge. If we can do that and generate that interest at the board, we can have that conversation.”
Managing risks amid a talent shortage
With the growing number of cyber risks, companies need to be mindful of where to invest limited resources to mitigate potential security threats.
“It comes down to prioritisation of risks. There's also a prioritisation of development and execution whether they're security-related or not. Do you get your engineers to go build a system that is quite simple, a login page with a username and a password to give people access? But as you scale globally, as you want to build in multifactor authentication, as you think about threats, you could think about moving to cloud from an on-prem service – it becomes quite difficult quite quickly.”
“Why not outsource that to someone who makes identity their business and free up your resources to work on your business differentiator? If you're going to do that, you get a best-of-breed solution, which is already secure, which is already scaled for growth, and cloud-native and all those things. You get happier staff who are working on more value-add work for their organisation rather than building commodity services like identity,” King said.
