There's been a lot of talk about cyber security recently, with the hack at British Airways and the constant refrain from the Government to company boards about their experience in this area.
With more and more valuable interactions happening in the digital space, it follows that the impact of any cyber-whoops is therefore greater. But you've got to feel for the average board, recognising the rising risks in this area, understanding the need to engage, but struggling to know how to go about it.
It's easy to get lost. "Cyber" (weird word, really) is an odd concept: at one level it is generally descriptive, defining the digital space as a whole. On the other, it is a narrow, threatening warning, often followed by an equally aggressive word like "security", "hacker", "warfare" etc. Think Arnie. Like so many technical terms, it has been coined by vendors hoping to define a space and sell into it. The medieval practice of selling indulgences involved blood curdling warnings of the dire consequences of not paying. Those consequences would play out in a dimension beyond human analysis, so there was no point in being rational. Just pay up. Sound familiar? For eternal damnation, read zero day exploit.
OK, a little harsh. How does a board become more able to take a rational view of this risk, as it does with other kinds of operational, market and financial risks? The problem, of course, is that the cyber piece is so new. With the explosion in connectivity (which is what the internet really represents) has come an attendant rush of value, and of risk. However, our culture has not had time to digest the risks it represents and specifically clock the behavioural catalysts to cyber trouble in the future. To a board, running a stretched balance sheet at the turn of the credit cycle is an obvious risk: as is running down the R&D budget in an environment of tight market competition. Equally, that charity sword-swallowing session proposed by Kevin in Accounts would not be great for the firm's health and safety record. These are obvious catalysts to particular risks, because our culture is full of cautionary tales: Dickens writes colourfully on the risks of an over extended balance sheet (!) and presumably sword swallowing has, for some time, been viewed with caution.
So how do we start to build this new consciousness? The secret, we think, is to break out of vendor-land and treat "cyber" as merely one facet of information management. "Information" is the poor relation to its spoilt sibling, "technology": when people talk of IT spend, they really mean T spend, where a tactical effort is made to organise the information simply as part of a project to install a system. It really should be the other way around: information is the most valuable resource in any company after its people, and a coherent plan for its management really ought to be the first thing companies do. Can we define our inputs? What are our key value-add processes? What are our outputs and who needs them? Notice not a system in sight at this stage.
Once this has been started, companies start to understand that information is different from the departments, systems, and documents that contain it, rather like energy is not the same as a piece of coal. Once that is understood, the company can start to organise around the management of that information, not the other way around. What do we mean by management? The development of a company-wide classification scheme ("filing" to you and me), the establishment of a single source for each item, and the efficient maintenance of the system of entitlement together with the matching of security environment with the sensitivity of the information: details of a customer's payment methods? Really sensitive. Details on the toilet cleaning roster? Not so much. In short, a plan to ensure the supply of reliable, consistent and discreet information to all those who need it, and only those that do.
OK, so where does that relate to cyber? Well, a successful attack is just a symptom that you've got your information management wrong. Did a vengeful former employee retain access after their departure? Why did finance keep a copy of client records on "their" systems, away from all the GDPR controls on the CRM database? Why was a third party allowed to export a bundle of data to their systems, when they should have been permissioned on the company's own systems? Why was data needed by the client teams only available on an internal network, forcing those teams to carry paper and excel on the train? Why was the company dependent on bespoke software that ran on Windows 1875, preventing any patching? Why did an employee click on the attachment offering the usual accounts report, when they should have had independent access to those reports from a central system?
It's helpful to think of this in terms of hygiene. If you never wash your hands, leave your house dirty and not get enough sleep you'll probably need recourse to some fancy drugs from time to time. Attend to good habits, however, and the chances of catching something nasty are materially lower. It's those good habits in general that the board should focus on, not second-guessing the IT department with stuff read in the Daily Telegraph over the weekend. Focusing on those good habits will also highlight exceptions to these, developing a sense of the informational risks the company is running in the same way they do for other types of risks.