June 22, 2015
Digital attacks can threaten an organisation’s global reputation and at its very worst, its ability to operate, making online security a key business governance issue. Business leaders who relegate security to the IT department risk significant business damage: the results of a successful attack can include financial loss, loss of Intellectual Property (IP), Privacy Act non-compliance and sabotage.
Boards need to recognise that a cyber attack will happen at some stage and that cyber security is a matter for the entire business. The organisation’s IT department alone is unlikely to effectively protect every digital asset of the company without executive support. A 2014 World Economic Forum and McKinsey report said cyber resilience can only be achieved with “active engagement from the senior leaders of private and public institutions.”
These attacks are operational business risks, not just IT risks. Most boards are not made up of security experts, so it is crucial for IT and senior executives to frame the problem in terms of those business risks. For effective governance and accountability, businesses should implement processes to identify attacks early and then respond to these in a structured and repeatable manner, with a clear delineation of responsibility.