06 Oct 2020
Cybersecurity | An Essential Expertise in the Age of COVID-19
Subscribe to our newsletter. Enter your details below.
The coronavirus pandemic has fundamentally altered where and how employees perform their jobs.
In January 2020 only 3.4 percent of America’s workers (about five million people) worked remotely half time or more; by midsummer the United States had a majority work-from-home economy, with 40 percent of workers working remotely in June, 26 percent (most of them essential workers) working onsite, and roughly 30 percent unemployed. Distributed across earnings, 60% of America’s GDP was being generated by people working in home offices, bedrooms, porches, living rooms, or outdoors.
Going forward, economists predict that once COVID’s pandemic phase is behind us, 20-30 percent of employees will continue working from home at least half time. This has a broad array of implications. It will influence real estate markets, both commercial and residential. It will influence corporate communication and reporting structures, employee engagement and teambuilding initiatives, and even the distribution of work hours across the day. But one of the biggest and most immediately concerning implications is that companies relying on remote workers are exposed to a widened set of cyber risks. And these enhanced risks come at a time when demand for cyber talent—executives with backgrounds in computer science, security, IT, and, in many cases, “cleared talent” with experience working for government-focused businesses—has never been higher.
To combat these risks, we recommend that companies recognize three key factors:
- Bring cyber expertise to the boardroom. As companies grow increasingly reliant upon technology, cyber breaches now have broad and even existential implications; for this reason, companies need to bring cyber expertise—at functional levels in areas such as finance and HR—into the boardroom and make cybersecurity an everyday component of both the board’s agenda and the company’s strategy.
- Put a C-level cyber expert in charge. In order to ensure they have a proactive and enterprise-wide risk mitigation system in place, companies need to appoint a Chief Information Security Officer (CISO) and/or invest them with cross-functional authority and direct reporting lines to the CEO and board. (CISOs whose authority is restricted to their traditional IT or security siloes are far less effective.)
- Integrate cyber responsibility across the organization. Cyber risk has both human and technological components, and for this reason companies must take an integrated approach to cybersecurity, distributing awareness and mitigation responsibilities across the entire organization.
Part 1. Bring cyber to your board
When a company experiences a cybersecurity breach, customers often rethink their loyalty toward the brand, shareholders question its organizational and leadership competencies, regulators make sure it has been compliant with legal guidelines, and the company as a whole suffers.
But with 30-40 percent of workers still working remotely and IoT technologies increasingly embedded in products and operations, the number of risks to which companies are exposed has widened beyond these old parameters: today’s cyber breaches don’t just have the power to distract companies from their operational imperatives; they have the power to hijack their operations entirely. In other words: cybersecurity is now a major board issue.
Boards need to make cybersecurity a priority
However, according to a recent McKinsey report, most boards spend just 10 percent of their time discussing risk management—and of that 10 percent, cybersecurity gets only a small percentage. This means that most executive-level cyber experts (if such an expert even exists) have to compress a daunting amount of information about the emerging technology and cyber strategy, cyber resilience, and workforce cyber awareness into a very small amount of time.
Complicating things further, board members (and CEOs) are often generalists, with superficial understandings of the technologies that their companies employ. This often makes explaining cybersecurity concepts (concepts fraught with terms like “solid identity security programs” and “threat analytics” and “incident response” and “log ingestion” and “threat modeling” and “multi-factor authentication”) challenging even when there are no time constraints.
The result? Most boards are woefully under-informed about cybersecurity and unprepared to make strategy decisions with cyber and information security in mind. To fix this problem, boards need to prioritize their own learning, which means making real time for it, putting it on the agenda and setting learning goals.
Appoint a cyber expert to your board
A full two-thirds of boards don’t have designated board member responsible for overseeing their organization’s cybersecurity efforts and helping to bring cyber awareness into boardroom discussions. Given that the global cost of cybercrimes is expected to reach $6 trillion annually by 2021, we believe that no board competency map is complete without a cybersecurity expert.
Yet appointing a cyber expert to the board is easier said than done. For one thing, the majority of cyber experts are relatively young—they may be experts in their field, but most lack the broader management, strategy, and leadership acumen typical of board members. And those candidates who do possess both cyber expertise and management experience are in exceptionally high demand.
There are a few of ways to meet this challenge. First, companies can pay top dollar to ensure they have the right talent; second, they can train freshman cyber board experts by sending them to director education programs or pairing them with experienced board members who can help them develop the kinds of generalist skills required to be an effective board member.
Part II. Bring cybersecurity to the C-suite
Even though cybersecurity has been part of the corporate lexicon for decades now, we’ve actually seen limited structural evolution when it comes to how companies prepare for and defend against cyber attacks. As of 2019 only 50 percent of companies had a dedicated cybersecurity executive overseeing dedicated cybersecurity teams, though there’s evidence that this is now changing. The rise of the Internet of Things (which has made cybersecurity intrinsic to physical operations and therefore broadened companies’ attack surface) and the widespread adoption of remote work are driving more companies to recruit Chief Information Security Officers whose role is to oversee a number of interlocking imperatives including:
- They should help build a proactive rather than reactive approach to cybersecurity; an approach that aims to predict where and how the next attack might come rather than relying on passive and reactive processes (for example: firewalls).
- They should oversee a designated team of “crackers” (a reference to the physical safecrackers of old) whose goal is to constantly test the company’s weak spots, essentially trying to simulate a hack in order to figure out where their vulnerabilities are.
- They should build and oversee internal programs designed to train employees in cyber hygiene, monitor employee hygiene performance, and create a culture of accountability and cyber awareness, one in which all employees feel responsible for considering cybersecurity measures.
- They should institute cybersecurity measures such that they (a) align with the company’s core strategies, and (b) prioritize security measures, ensuring that the company’s most important assets and information are kept safe before looking after less important ones.
- They should serve as a key advisor to the CEO and board—a job that requires breaking down highly technical concepts to a senior audience, convincing the board to make large investments in cybersecurity and helping them design business strategies with cyber considerations in mind. To effectively fill this role, CISOs need to have consistent access, visibility, and interaction with the CEO and other C level leaders.
The problem? Simply deciding you need a cyber expert isn’t going to get you one.
As with cyber experts at the board level, there simply aren’t enough executive-qualified cyber experts to fill demand. According to Cyber Security Ventures, 100 percent of Fortune 500 companies will have a designated CISO or equivalent position by 2021 (that number was 70 percent in 2017)—but a significant number of these seats will go unfilled because of a shortage of cyber talent. And this shortage isn’t limited to the executive level; competition for talent is also rife in lower and mid-level cybersecurity teams: by 2021 there are expected to be 3.5 million unfilled cybersecurity jobs globally, up from 1 million in 2014. Meanwhile, the rate, scale, and intensity of cyber attacks are expected to continue escalating.
Take an integrative, enterprise-wide approach
Bringing cyber expertise to the executive and board level is a crucial first step in building a cyber strategy. But given the dynamic nature of cyber threats and the growing ubiquity of technology use, no cyber solution is complete if it’s not integrated throughout the organization. The process of integration, however, will require many executives to widen their understanding of cyber responsibility.
The fact is that even though cybercrime has significant enterprise risk implications, far too many executives persist in thinking of cybercrime as a technological problem whose solution is confined to the IT sphere. The reality, however, is that hackers have recourse to both technological and human pathways through cyber defenses, and in order to adequately defend their systems from these hackers, companies need to make all employees part of the cyber solution.
Clarify responsibility and measure performance
Far too many cybersecurity failures are not the result of technology glitches or bold moves by genius hackers but of easily avoided organizational mistakes, things like poor communication or confusion about who is responsible for strategy implementation.
A common example: when companies roll out the software patches and updates that protect network-connected devices against known and likely threats, it’s often unclear who is responsible for installing these patches—is it the IT department or the employee who uses the technology or that employee’s team leader? All too often, this confusion means that no one uploads the patch and devices go unprotected. According to one study, 57 percent of cyber breaches could have been prevented by existing patches that, for one reason or another, were never applied.
Companies need to be explicit about how they integrate cybersecurity initiatives into their responsibility and communication structures. They need to decide who is in charge of each aspect of internal cyber compliance and then measure performance. The old adage “You can’t manage what you can’t measure” holds true here.
Make cyber part of everyone’s job
One of the most important functions of cybersecurity leaders is educational; they need to teach their organization’s employees, its C-Suite, and the board about everything from basic cyber hygiene to how strategic and operational decisions interact with cyber risk.
Educational initiatives of this kind have two kinds of benefits. In the short term, they help contextualize cyber awareness, helping ensure that patches get downloaded and potential breaches reported. 97 percent of breaches in 2017 could have been prevented if companies had engaged in better cyber hygiene. In the long run, this cross-functional approach to cyber will help embed cyber awareness across its teams—and this embedded, cross-functional thinking can pay real dividends, both in terms of basic cyber compliance and in terms of innovation. By some accounts, more than 60 percent of companies have yet to build training structures to build employee security awareness.
Cybersecurity expertise and awareness is a central part of any enterprise risk management strategy. Without such expertise, companies will find themselves less trusted by customers, employees, shareholders, and partners, and in extreme cases unviable as businesses. To ensure that they not only survive but thrive in this century of cybercrime, companies need to:
- Begin at the top, bringing cybersecurity experts into the boardroom and integrate cybersecurity into their strategy, succession planning, and culture.
- Appoint a dedicated C-level cybersecurity executive who has direct reporting lines to the CEO and the authority to enact the kind of cross-functional changes required to drive enterprise-wide cyber strategy.
- Ensure that responsibility for cyber hygiene, patch installation, and general cyber awareness is clearly articulated, and that all employees—from the IT department to managers and employees in other functions—understand how their behaviors interact with cyber intrusions and can contribute to firmwide security.