Russia has only recently finally codified and set out standards for corporate governance, transparency and paths to market trust. These past several years has also added a further fast developing area of concern, which is cyber risk, that today has become a major board responsibility and issue for both public and private companies.
Serving on and advising several Russian boards of directors over the years this has become ever more urgent, especially in the boardrooms. Business risk(s) are obviously a key factor to try to manage wherever on the planet one does business. One clear indication of how seriously this is taken is the rapid growth of budget allocations specific to getting a managed grip on cyber risks and cyber security.
Some companies place these responsibilities in the hands of risk management departments or similar, usually within the purview of an IT department, and that box was thereby ticked for better or for worse. Others push money at the challenge by retaining the services of a Dr. Web, Kaspersky, the Secret Studio and similar. Others may buy all sorts of cyber insurance mistakenly believing this will keep risks at bay, as insurers should/will recommend actions needed to qualify for comprehensive cover. The easy attitudes have changed, and ticking boxes, like passing the buck, will no longer suffice.
One of the challenges, among several, is the distance and differences in the understanding of the digital world and its language as opposed to the understanding of business, industry and the language of commerce. It was and to varying degrees still is a digital cultural divide at the general management and board level. With the blockchain and outgrowth applications in Fintech and elsewhere firmly gaining broad acceptance, the blending of these cultures is inevitable.
I have witnessed a real core change in the attitudes of Russian boards concerning cybersecurity and the increasing responsibility many directors are taking in addressing this area. Despite the reputation Russia has of being “hacker heaven” and able to leap tall buildings in a single bound, or alter foreign national elections. The fact is that cyber risks affect Russian businesses every bit as much as business in every corner of the world. These are equal opportunity risks knowing no national borders, or geopolitical dissonances as these threats are globally equal.
The development of means and measures to confront cyber risks in many businesses throughout Russia have been mixed at best, just like the rest of the world. Some are now at the cutting edge of cybersecurity, and some are still avoiding the issue aside from tasking IT departments to “handle it”.
For any company anywhere in the world cyber-risks are the same, and the threats do not come from some shadowy “evil empire”, but across the entire digital realm of the planet in equal measure. The juicier and more developed the target, the more hungry and aggressive are the risks, be it in Silicon Valley, Vladivostok, Dubai, Beijing or Durban. Like in any other risk sphere, the lower the fruit, the easier the target of opportunity.
Some of the better-prepared boards here have taken some proactive steps, which may be of interest to overview and I have attempted to collect them into a narrative. These observations are nothing more than applied common sense, not rocket science. Many of these positions have become part of the operational fabric of several companies, both public and private in Russia, and globally as well. What makes them valuable is that they are now being woven into the mindsets and views of more and more personnel, their management and boards of directors.
Several boards have prioritized into their operational mandates the task of identifying those key assets that may be open to cyber-attack, which cyber risks to avoid, accept, or simply observe, and to develop specific plans associated with each approach.
The corporate culture of many boards has changed to view cybersecurity as a strategic and managerial issue and to hold management accountable for recommending and implementing overall cyber-risk management strategy and polices. This had led to concepts and policies of defensive response, and then intelligently adapting by continually gathering updated intelligence in this fast changing risk environment.
There is a far greater emphasis undertaken by the board and management to understand the company’s exposure to third-party linkages and vendors. This in many cases has been shown to be a poorly secured backdoor.
Most importantly, quite a few are actively budgeting to augment the development of a corporate and HR culture that places a high value on cybersecurity, and educating all employees in this risk reality.
The one thing shareholders remember when it comes to a cyber crisis and the subsequent board/management judgement calls is the outcome achieved. A positive outcome is usually the result of a well- considered, disciplined process that demonstrates responsible planning and a commitment to creating and implementing corrective results. Therefore, CYA does play an incentive role in this area.
Board meetings have become a vital time for corporate directors to reassess how they exercise their governance responsibilities with regard to the management of cybersecurity risk. In today’s global cyber minefield, it is essential that boards of directors not just monitor performance, but reward through incentives excellence achieved in this area.
Boards must lead by defining to management their vision and behavior for cybersecurity and then clearly demonstrate the priority the organization places upon strict adherence. After all, a risk culture gathers all aspects of risk-taking and risk management together through shared corporate values, beliefs, and attitudes.
Cybersecurity is no exception; establishing a strong cybersecurity culture is an essential component of any program, given that the vast majority of cyber risk can be initially traced to people and related behaviors, not technology. There are no offensive strategies in cybersecurity, only defensive ones.
The reality is that most employees are not interested in their personal digital security, much less that of their company. In consequence, changing a company’s culture to strengthen security is especially difficult and requires a top to bottom commitment “with teeth” to keep pace with evolving threats. Historically, anything to do with IT security was kept separate from users by IT teams. Little wonder that users show no or little interest in the company’s digital security.
The simple fact of the cyber risk issue is that the employees/users should be the first line of defense. They are the ones who create and handle the information, and they are in the best position to understand its value. Boards of directors worldwide, not only in Russia are more frequently demanding that management develop interactive training and accountability programs that work with users. In some cases, modern game based training is used and can then monitor how staff apply this training to help transform a company’s culture into one where cybersecurity is in everybody’s interests to enhance.
Without a strong risk culture, even the best cybersecurity management framework would be vulnerable to weaknesses and failures. Given the continuously changing and quickly evolving cyber environment, engendering a strong cyber risk culture provides employees with principles and values to guide activities while policies are still in the process of being drafted or updated. It also strongly narrows the divide between analog and digital thinking, which yields benefits to users on a personal level as well.
No longer is it a question of whether a company will be attacked but more a question of when this will happen, and how a company is going to prevent it or at least control damage. Smart network surveillance, early warning indicators, multiple layers of defense, and lessons from past events are all critical components of cyber resilience. When things go wrong, whether in a major or minor way, the ability to quickly identify and respond to a problem will determine the company’s ultimate recovery and ability to continue conducting business.