Boards have finally awoken to the challenge of IT and cyber-security risk.
Unfortunately, many of them are are discovering that they don’t have the governance structures in place to effectively deal with the issues, even as risks are being realised on a near daily basis throughout the world.
“The number of [CISO and cyber] reports that are happening to the board is massively increasing,” says Kevin Isaac, Chief Revenue Officer, Forcepoint. “It’s moving from annually or biannually, now to quarterly or even every two months.” But as boards demand more information about their organization’s cyber-readiness, they are finding themselves without the context and skill to effectively evaluate the information they receive.
“Boards are starting to look for people with cyber experience to sit on the board,” says Isaac. “I know that doesn’t sound like rocket science, but it’s actually pretty new.”
But boards also require structures to help them reason about a quite complex area of the business, in line with the standards and tools used to manage other areas, such as finance and operational risk. CISOs also need these structures to help them report to the board in ways that can be readily understood.
“I think, over the next few years, we’re going to start to see a lot more policy standards,” Isaac says, “And how boards benchmark, quantify, and manage risk.”
This is all happening against a backdrop of rapidly evolving government intervention where previously industry was pretty much left to its own devices.
“20 years ago industry vociferously argued against regulation,” says Isaac. “How has that worked? It hasn’t.” Governments worldwide have now started to act.
“GDPR is a direct result of industry’s failure to self regulate,” Isaac says, “Therefore, why would any country in the world assume that industry is going to self-regulate?”
But at the same time, some governments are moving to increase surveillance of their citizens, and to enlist the assistance—not always voluntarily—of private industry, such as the UK’s ‘Snoopers Charter’ and Australia’s Assistance and Access Act.
Boards need to navigate this highly unstable environment of technological and regulatory change in an area where many board members have near-zero hands-on experience. It seems that some are starting to add IT knowledgeable members to their boards, but is it too little too late?
Technology companies must also navigate this dynamic landscape, and too often they have focused on purely technical solutions when many of the problems are social in nature.
Isaac says the prospect of changing security to focus on humans rather than technologies is part of why he joined Forcepoint. “I literally joined Forcepoint because I was so taken by the concept of starting to connect humanity with IT,” he said.
“It’s weird that we’ve moved from mainframe to servers to desktops, centralized to decentralized to virtualized, and we’re still trying to manage it all based on structure as opposed to based on people,” he said.
Hopefully we’ll see both tech vendors and governments start to focus on the humans at the core of cyber issues, rather than only focusing on the technologies.
I was a guest of Forcepoint at its annual APAC partner conference in Malaysia, KL. You can read my full disclosure here.Tags: forcepoint, infosec