Business is now almost entirely dependent on digital platforms, and cannot function if their ICT systems are impacted or attacked. So, in order to build a resilient business, cyber resilience needs special attention especially from executives.
“If the lead does not come from the top, then all your best efforts will not bear fruit – and this one is too important not to get right,” argues Kabir Singh, senior manager: advisory services at ContinuitySA.
“It’s important to differentiate between cyber resilience and cyber security,” he adds. The latter essentially relates to the technology that helps to prevent intrusion, and would include password and identity management, firewalls, encryption and so on. But cyber security is not sufficient. Security technology simply cannot keep pace with cybercrime, so it is important that the organisation does not only identify cyber risk, but is able to detect cyber-attacks and respond to them.
In the same way, business continuity is now being seen within the wider context of business resilience. The fast-moving nature of the threats means that identifying risks and preparing only for them is not enough.
As with business resilience, cyber resilience requires strong leadership by the board and the executive team. In the end, it is the product of a cultural shift within the organisation, and culture within countries and organisations is inevitably a reflection of the behaviour of leaders. So while promoting the principles of cyber resilience to employees is critical, they will only take root if the leaders show the way.
To this end, the board must assume oversight responsibility for cyber risk and resilience, possibly delegating this responsibility to a committee–either the risk committee or, in the case of a mature organisation, a dedicated cyber-resilience committee.
The board needs to ensure that management integrates cyber resilience and cyber risk assessment into overall business strategy and into enterprise- wide risk management, as well as budgeting and resource allocation.
In addition, the board can appoint an accountable officer for reporting on the organization’s capability to manage cyber resilience and progress in implementing cyber resilience goals. The board ensures that this officer has regular board access, sufficient authority, command of the subject matter, experience and resources to fulfil these duties. It requires the officer in charge to monitor performance and to regularly report to back to it.
As part of its annual risk management cycle, the board needs to review the organisation’s appetite for cyber risk, taking into account the relevant regulatory requirements and industry benchmarks.
Feedback from boards is that ICT governance remains challenging for them. In the light of this, it is highly recommended that board members receive an expert briefing on cyber resilience, and that new board members are inducted properly. Regular trend updates are also mandatory.
Finally, in order to initiate a virtuous cycle, an annual, independent cyber-resilience review should be undertaken, concludes Singh.