5 minute read 6 Sep 2022
Men working around an interactive table top display

How Irish boards can address cybersecurity oversight

By Puneet Kukreja

EY Ireland Cyber Leader

5 minute read 6 Sep 2022

With cyber threat levels on the rise and their complexities growing, it is time to bring cybersecurity into the boardroom.

In brief
  • The board needs to have a clear knowledge of how a cyber threat can be responded to in a rapid manner and they can also help document a cyber threat management framework.
  • Boards need to take an action-oriented approach that can help them to create a culture of cybersecurity in the organisation whereby they can take everyone along in cybersecurity preparedness.
  • A key action that boards can take is to bring cybersecurity related skills and experience into the boardroom by appointing non-executive directors with previous experience in technology related roles.

The board plays an important role in overseeing and supporting how an organisation enhances its cybersecurity controls and practices in a world where threat levels are on the rise. The ransomware threats and attacks of the past two years make cyber risk more real and imminent. According to the EY Ireland Global Information Security Survey 2021, 90% of the Irish cybersecurity leaders reported an increase in disruptive cyberattacks over the previous 12 months.

Boards are acutely aware of the increased threat level and the risks associated with cybercrime. Almost two-thirds (60%) of respondents to the EY EMEIA Board Barometer 2022 said that digital transformation and cybersecurity had increased in importance during 2021.

Cyberattacks are increasing in velocity and voracity, and boards should adopt an “assume breached” mindset to cyber.

One reason for that increase is the rise in vulnerability among some organisations caused by the mass shift to remote working during the pandemic. The speed and urgency of the shift led to a lessening of cybersecurity controls in many cases. In some cases, those controls were abandoned or circumvented altogether. More than half of the respondents (52%) to the EY Ireland Global Information Security Survey 2021 flagged that it was just a matter of time until they suffered a major breach that could have been avoided had they invested more wisely in cybersecurity.

Another reason behind the heightened vulnerability to cyber threats include cuts to cybersecurity funding due to falls in revenue during the pandemic.

Awareness is one thing, but boards do face challenges keeping up with changes in technology and best practices for protecting their business. Boards are conscious of the scale of the challenge and many boards will make effective oversight of cybersecurity a top priority for the coming 12 months.

Boards can play a pivotal role in articulating criticality of data and infrastructure, and advise on what really needs to be protected from a business point of view.

Building resilience

The reality is that even the best prepared organisations can fall victim to cyber breaches. Boards must therefore ensure that there is an incident response plan in place to facilitate a quick and effective response when required.

In the event of a breach, the following can help to protect the organisation’s digital assets and its reputation.

The role of the board is evolving, especially to keep up with the new normal after the pandemic. An action-oriented approach can help the board to create a culture of cybersecurity in the organisation whereby they can take everyone along in cybersecurity preparedness.

Seven steps for boards to be better prepared

Boards can demand more granular insights into security posture of organisations and drive a zero-trust approach to bring the focus on potential vulnerabilities. They can involve key stakeholders and cyber leaders in the organisation such as the Chief Information Security Officers (CISOs) and the CIOs to hear more about the level of readiness to respond to a cyber breach.

Here are seven critical areas that boards need to focus on to better align themselves with the organisation’s cyber strategy and to ensure that the organisation’s cybersecurity needle is moving in the right direction.

Take a holistic approach

With remote and hybrid work being the new normal, continuous assessments and improvement of cybersecurity controls and practices across the organisation should be the focus of the board. For this, boards can mandate organisation-wide continuous training and education around cyber threats. It may also be useful to accompany this with a cyber awareness programme. An eye on internal control framework and cybersecurity monitoring procedures is the need of the hour as well.

Cybersecurity activity should not be seen as purely defensive. A company’s ability to adjust and strengthen its cyber resilience will position it for a more secure future. Cybersecurity can therefore act as a strategic enabler of growth by supporting the organisation to retain the trust of customers and employees, fully exploit digital tools, and do business with confidence.

 The role of the board is assuming greater importance as cybersecurity risks and threats grow. Boards must now play a more constructive role in advising on post incident response plan and on managing it from a business continuity perspective.

Summary

Boards can play a pivotal role in articulating criticality of data and infrastructure, and advise on what really needs to be protected from a business point of view. Boards must also push management to explain the organisation’s maturity posture.

About this article

By Puneet Kukreja

EY Ireland Cyber Leader