They are large organisations and all of them face considerable challenges in keeping their data and IT systems secure. Yet only a tiny minority of FTSE 100 companies have a Board member with specialist cyber security experience.
Research from Deloitte this week has shown that just 5% of the FTSE 100 currently employ a director responsible for cyber risk. Just 5%!
Cyber security is now widely accepted as having strategic importance. Data breaches can adversely affect reputation (including the reputations of Board members) as well as damaging an organisation’s competitive positioning. And there is a big moral dimension too: allowing personal data to leak out can cause individual consumers enormous difficulties, from cloned credit cards and frauds to wholesale identity theft.
But all too often cyber security seems to be treated as a technical issue for overworked IT departments and cyber breaches are considered simply a cost of doing business. Perhaps that will change with the considerable fines available to regulators under the new European privacy regulation, the GDPR, which will come into force from May 2018.
In the meantime though Boards are all too often simply brushing the issue aside.
So what needs to change? It’s simple really. Boards need an individual who can interpret the risks their organisation faces from cyber and communicate the steps that need to be taken to senior management.
But this individual can’t be just anyone. As Jason Hart, CTO for Data Protection at Gemalto says:
“It shouldn’t just be anyone that takes up this role though, they need to have the right set of skills and qualifications. Like accountants must have certain criteria to be able to work, so must security professionals.” Mr Hart proposes that, for this to be taken seriously, an industry standard should be created so that companies be sure they are appointing the right people. Security is, or should be, a Board level issue and the person responsible needs to be appropriately qualified and experienced. “The person responsible for this really does hold the key to the business in their hands, so we need to be sure they are capable of doing so.”
That's certainly true. And the problem goes deeper than qualifications. The difficulty is that many senior executives simply don't recognise the value of cyber security and cyber resilience. This is illustrated by recent research from the Ponemon Institute (registration required) that indicates that under half (45%) of UK organisation leaders recognise that revenues can be affected by cyber resilience and only slightly more (46%) recognize the effect on reputation. With this degree of scepticism at Board level is it surprising that cyber security fails to get the attention it deserves?