With the digital transformation market, whether that’s investments in cloud, automation or AI, anticipated to grow from $1.5 trillion in 2021 to nearly $7 trillion by 2029 — boards of directors and enterprise CxOs everywhere must better prepare for the dramatic increase in associated cyber risks during that time.
To help organizations better engage their boards when managing cybersecurity risks, Google recently published its Perspectives on Security for the Board. The report details what steps the board should take with their CxOs and CISOs to adequately secure their digital transformations in the years ahead. “Boards must understand that cybersecurity is not only a technology concern but a sustained business risk that demands effective corporate governance,” wrote Phil Venables, CISO at Google Cloud.
Consider the increasing enterprise AI risks: The board should thoroughly review the CISO’s plans to securely deploy AI systems and determine whether an additional investment in AI and security risks is needed. “Understand your organization’s data responsibilities and whether cybersecurity leaders have the right tools to protect machine learning data. Second, Boards should work with the CISO to understand how best to leverage the power of AI to achieve better cybersecurity outcomes at scale,” the report states.
Yet, ask any CIO or CISO at a large enterprise about the importance of involvement by their board of directors when it comes to cybersecurity, and they’ll tell you that it’s “essential.” But what does “involvement” mean? What is good involvement beyond lip service? It certainly doesn’t mean board directors start responding to alerts in the enterprise’s security operations center or even typically directly write security policy.
What these CxOs typically mean when they say board involvement is essential is that — from the board and executive leadership through the CEO on down — each make cybersecurity a priority. That means providing adequate funding and organizational support to create and maintain a successful risk management program. That’s easier said than done in practice when tough business decisions involving software development production or business profitability and demands of cybersecurity conflict. In most organizations, except for the largest banks or companies with valuable intellectual property, cybersecurity loses out in favor of business demands.
How Boards Can Navigate the Cyberthreat Landscape
In this report, Google’s Cybersecurity Action Team details the board’s roles and responsibilities in cyber risk oversight, provides guidance on how boards should navigate the cyberthreat landscape and explains how boards should engage on emerging issues surrounding AI and cybersecurity.
With rapid investments in digital transformation and the shift to the cloud, enterprises have increased their attack surface considerably. In contrast, threat actors’ attack tools to exploit business-technology systems have become readily available and easier to use.
Additionally, governments, whether in the US or the EU, are tightening their regulatory mandates. They’re increasingly implementing regulatory measures that raise compulsory cybersecurity baseline standards, including requirements to report cyber incidents to the relevant government authorities. “In recent weeks, we’ve seen two such initiatives from the U.S. Securities and Exchange Commission, which contain hundreds of pages of proposed rules on cybersecurity, incident reporting, and systems integrity,” the Google report states.
This means boards need to view cybersecurity risks as business risks, not just technical risks. That means concepts that were once just the purview of the CISO’s office must become an integral part of business strategy, risk management practices, budgeting and resource allocation to underpin that cybersecurity risk is everyone’s responsibility.
“We expect these trends will continue and blur across borders, geographies and sectors over time. Boards will play an important role in how organizations respond to these trends and should prepare now for this future state,” the report states.
NIST CSF and a Sustainable Path to Resiliency
To help boards understand cybersecurity risk, Google recommends the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) (CSF) as cybersecurity. The NIST CSF does offer a very easy-to-digest standard framework for board members to understand cyber risk and have meaningful conversations with CxOs and CISOs regarding cybersecurity risks. The CSF calls on organizations to reduce risk by identifying critical assets, protecting the appropriate help, detecting suspicious events and activity, and responding and recovering to security-related events.
The Google report advises boards to take action to put cybersecurity on a successfully sustainable pathway. First, boards should educate themselves about how cybersecurity and business-technology risks are integral to operational risks and decisions. “This includes understanding cyber’s impact on risk management and resiliency frameworks. It also includes the Board of Directors playing an integral role in overseeing any organization’s cloud-enabled digital transformation,” Google wrote.
Google also recommends assessing the board’s structure and expertise and identifying the most appropriate committees to govern such risks.
Google advises boards to ensure they engage with the C-suite, including the CISO and other business leaders. “Understand critical gaps and resource needs while ensuring this risk is treated as a priority for all executives – not just the cybersecurity team. Boards must work with the CISO and technology, business, and compliance stakeholders to identify top risks and quantify them, and assess how they align with overall risk appetite,” the report stated.
To make this happen, Google noted the importance of inviting the CISO to strategy discussions, being part of broader business and technology decisions, and regular sessions with the CIO and CTO on risk priorities, budgets and planning.
Finally, Google guides boards to stay informed when it comes to continuing reporting activities and work with the CISO and other C-suite executives and to “strive to create a robust feedback loop that encourages frank dialogue, informed decision making, and continuous risk management, in line with good practices for operational risk management.”
If boards took this advice, it’d be good news to CISOs and security-conscious CxOs. Consider the 2022 Gartner Board of Directors Survey, which found that 88% of boards view cybersecurity as a business risk, yet only 12% had a dedicated board-level cybersecurity committee.
Google also announced the Google Cloud’s Board of Directors Cybersecurity Insights Hub. Through the hub, readers can find informative articles such as, Risk Governance of Digital Transformation in the Cloud.