teissTalk: Getting the board’s ‘aye’ on your cyber-security investments 

Views on news

A leading standards body has warned of a growing “AI governance gap” as business leaders rush to adopt the new technology without first putting the requisite controls and processes in place. The British Standards Institution (BSI) made its remarks in a new report compiled from AI-assisted analysis of 100+ annual reports from multinationals and two global polls of more than 850 senior business leaders. On the one hand, nearly two-thirds (62%) of business leaders plan to increase AI investment over the coming year. On the other, just a quarter (24%) claimed to have an AI governance program in place, rising to only 34% of large enterprises.

AI, however, needs the type of governance that other technologies do and the point should be  to educate not to scare boards. That said, the governance aspect unique to gen AI is how users should anonymise and strip out sensitive company information from what they feed it. Governance, if done properly, is not a barrier to adoption but an enhancer of it. 

Making cyber security relevant for the board

Start with the risk tolerance of the business, considering, for example, how much damage being offline can cause to it. Then assess the risk of an incident happening, as well as how you can mitigate that. It can also make a huge difference how the board sees the role of the CISO – as pivotal to cyber security or if they prefer outsourcing some of these responsibilities to external businesses. The problem is that boards typically focus on preventing bad things from happening, rather than on how to manage the situation once the worst happens, neglecting recovery and response. It’s a key question, for example, in what order you recover your assets after an attack. With remote work and the cloud, the idea of a physical grab bag is gone too, which would contain the most important phone numbers and other data that becomes inaccessible when the system goes down. Another problem is that the average age of board members is about 60 years, which may make them more reluctant to admit to not being knowledgeable about a topic or ask questions that may sound too basic. 

AI is a great tool for making hundreds of pages of company policy relevant and searchable. Board will be more likely to listen to arguments based on compliance with the company’s own internal policies than with general regulations. Board must also understand that compliance is not a single exercise but requires continuous monitoring and the technology and manpower necessary for it. Companies can make mistakes and buy some shiny software only to find out later that it’s not compliant in their industry. 

The panel’s advice

• While governance moves in years, AI technology advances in days.
• Compliance is the foundation of cyber security, not the ultimate tool to achieve it.
• Compliance is yesterday’s security you’re auditing tomorrow.
• Boards may need a strategic individual who can translate between them and the technological staff. Without such a role, it’s easier to teach techies business than a chief executive cyber.