Against a backdrop of escalating geopolitical tensions, the rise of hybrid working and the demand from employees to stay connected anytime, anywhere, organizations are facing a particularly challenging task in managing their cyber risks.
For banks, this means that the traditional three lines of defence model of risk management is coming under as much pressure as it ever has: The first line means the Chief Information Security Officer (CISO) owns and manages risk; the second line means the Chief Information Security Risk Officer (CISRO) provides challenge and oversight; and the third line offers independent assurance. Given the interconnectedness of the financial sector, and its status as a target for threat actors, it is critical that we continually seek to enhance our resilience and ensure the sustainability of our controls.
Engagement between the chairman of the board and the CISRO is thus important, as the latter needs to provide confidence to the former that the organization is appropriately managing its cyber risk. Despite its rising importance, however, many board directors still find cybersecurity a complex topic that sits outside of their experiences. Honest and regular communication between the two can help bridge this gap.
CISROs and their leadership teams can help by storytelling: breaking down complicated cybersecurity concepts into bite-sized updates, such as providing governance papers and briefing notes that convey the relevance to the business of risk reduction initiatives or regulatory changes.
Inherent in cybersecurity is a certain level of technicality and complexity, but it is crucial that cyber leaders communicate with impact and influence, and harness the ability to translate the technical into the understandable, so that board directors are able to question with insight and perform their role more effectively.
There are practical steps to help nudge governance committee members into engaging more effectively with cyber risk. For example, creating repeatable templates that can be used for paper submissions; developing headline messages that can be amended and updated for each session; and also asking questions in plain English: “What went well?”, “What could have gone better?” and “What are the business implications?”
Though this can be a challenge for those immersed in directly addressing complex technical challenges in the business, providing this strategic view allows board members to use their experience as business leaders to interrogate cyber using knowledge from other risk types.
To enable boards to ask stretching, hard-hitting questions, tailored awareness sessions can allow them to effectively understand business implications, risk appetite metrics and risk reduction goals. And while internal expertise will produce business relevant materials and scenarios, insights from external sources – whether industry round tables, or an expert “cyber advisor” – are crucial for maintaining knowledge of best practice and norms.
Aligned to the refreshed WEF’s Principles for Board Governance of Cyber Risk, Standard Chartered has in recent years made use of a regular internal forum for board directors to undertake guided discussions on topical aspects of cyber risk. Creating an environment in which the key stakeholders across the three lines of defence are present and in which all questions are welcomed, and facilitated by an experienced cyber expert, the forum has proved an effective way to build board expertise, complemented by a broader array of engagement and awareness activity.
A blended approach is taken to these programmes: strategic and long-term rather than reactive in outlook, focusing on broader technological and business-relevant developments while also referencing recent high-profile breaches or incidents in the sector and third parties, which are often already on the radar of board members.
Outside of these formal interactions, cyber leaders must be thoughtful and conscious leaders in the business, and push to create a cyber-aware culture within the organization.
A strong culture allows senior business leaders to move away from merely “setting the tone from the top”, instead inculcating a cyber risk-conscious mindset to a receptive organization that no longer needs to be persuaded of the importance of cybersecurity. This helps to naturally build cyber risk into daily thinking and actions. Embedding this way of thinking from the bottom up, complementing the top-down messaging, will bolster the cyber resilience of organizations in the long-term.
Ultimately, it is important that a constructive, challenging relationship exists. For the CISRO, communication to the board needs to be transparent, tailored and translatable. Achievements and failures must be described in an accurate and balanced, business-focused way. Reports to the board must be tailored for the specific forum and context; and reports should offer the “So what?”, linking risks to the overall goals of the business. For banks and those in the financial services sector, ensuring the regulatory angle is well-covered is also key.
For the chair, the key is to approach the topic with curiosity. This ability helps continue the honest conversation, build understanding of cyber concepts and focus areas, whilst pushing cyber teams to remain committed to appropriately managing the risk. Bringing all of this together should be a compelling strategic vision for cybersecurity, which will set both the long-term direction and short-term priorities for the organization. The chair and CISRO can then ensure that this is aligned to business needs, positioning cybersecurity as integral to future success.
This article was republished from the World Economic Forum under a Creative Commons license to point warfighters and national security professionals to reputable and relevant war studies literature. Read the original article.
José Viñals was appointed to Standard Chartered PLC in October 2016 and became Group Chairman in December 2016. He also chairs the Governance and Nomination Committee. José was appointed Chairman of Standard Chartered Bank in April 2019. José has substantial experience in the international regulatory arena and has exceptional understanding of the economic, financial and political dynamics of our markets and of global trade, and a deep and broad network of decision-makers in the jurisdictions in our footprint.
Darren Argyle is Group Chief Information Security Risk Officer, Standard Chartered Bank.
This article does not constitute endorsement of Analyzing War by the author/s.
More than 86 million Americans use the social media app TikTok to create, share, and view short videos, featuring everything from cute animals and influencer advice to comedy and dance performances.
Concerned experts point out that TikTok’s parent company, the Beijing-based ByteDance, has been accused of working with the Chinese government to censor content and could also collect sensitive data on users.
The recent leak of Pentagon documents included the suggestion that China is developing sophisticated cyber attacks for the purpose of disrupting military communication satellites. While this is unconfirmed, it is certainly possible, as many sovereign nations and private companies have considered how to protect from signal interference.
The Wisconsin shipyard that builds the U.S. Navy’s Freedom-class Littoral Combat Ship and the Constellation-class guided-missile frigate suffered a ransomware attack last week that delayed production across the shipyard, USNI News has learned.
Fincantieri Marinette Marine experienced the attack in the early morning hours of April 12, when large chunks of data on the shipyard’s network servers were rendered unusable by an unknown professional group, two sources familiar with a Navy summary of the attack told USNI News on Thursday.