How CEOs can get on top of cyber risks

As cyber attacks become ever more prevalent, sophisticated and damaging, CEOs are asking: how can we strengthen our security and readiness to respond? But it can be difficult to make sense of these increasingly complex risks, weigh up the threats and target finite resources where they can be most effective.

The resulting questions for you as a CEO include: 

1 How do I build cyber security into my overall business strategy?

Effective cyber risk management requires both cyber security – the ability to reduce the risk of a cyber attack – and cyber resilience – the ability to detect, respond and recover from a cyber attack. 

You will be able to have conversations about whether to invest in preventative controls (to reduce the likelihood of a cyber incident happening) or responsive controls (to reduce the impact of a cyber incident when it does happen). Our clients often find that they reach a return-on-investment ceiling when it comes to preventative controls;  it becomes prohibitively expensive to invest more in reducing the likelihood of an attack. Therefore, many of our clients choose to focus more on responsive controls. Executive teams and Boards need to be well-drilled on incident response plans to be confident in detecting, responding and recovering effectively to a major cyber incident.

2Have we clearly defined the role and remit of the CISO and is this right for the organization?

Hiring a good CISO with the right mandate and trusting them to get on and deliver is key to building cyber resilience. However, positioning the role of the CISO and cyber security function appropriately is not always straight forward and there is no single right answer. 

Should they report to the CFO, CIO, or other? Is the role accountable to the Board and audit and risk committee? Is the role to set policies and standards (for other functions to meet) and then provide governance and assurance, or is the role to actually deliver cyber security? Is it a head of IT security, or a fully-fledged role across all aspects of cyber and information security, including human risk factors (awareness and training) and data governance? 

All these models can work, and the right fit for your organization depends on the nature of your business, your approach to enterprise risk management, your risk appetite, and the other structures you have in place. In any case, the roles and responsibilities for managing and delivering cyber security capabilities must be clearly defined and understood by all those involved. 

3Does my organization understand the cyber risks and have the capabilities to mitigate them? Can I adequately demonstrate this to shareholders, regulators and insurers?

In the face of continually evolving cyber threats, it can be hard to maintain an intelligible view of the risks you face. Are you getting the ongoing reporting and assurance you need that the risks are defined, understood and being managed effectively? You should be having productive, proactive discussions across your executive team and risk management committees about this. If you’re getting lost in technical jargon, or if you’re not clear about whether your risk exposure is acceptable or not, you’re likely to find it difficult to meet shareholder and regulatory demands. You’re also likely to need improvements to your cyber risk and resilience management processes. 

4Is your organization ready to respond and recover in the event of a major cyber attack?

As the public face of your organization, it’s important that you as a senior leader understand and have confidence in how the organization will internally align in the event of an attack. As described above, you must be well-drilled on your incident response plans to be confident of detecting, responding and recovering effectively to a major cyber incident. 

This includes ensuring your executive team and Board are all clear on their specific roles in incident response. It’s also important to be clear about the key messages you will need to relay as a leader ‘in the moment’ to an attack and later to rebuild confidence with employees, shareholders and regulators once the incident has been addressed. For example, having up-to-date incident response playbooks with pre-built scenarios and draft communications will help you to execute this if the real thing happens. 

How Berkeley can help

At Berkeley, we have experience of helping leadership teams answer these questions through all stages of their cyber journey. We can help you to:

• Define your cyber strategy to set clear goals and ensure alignment with business strategy 
• Deliver your cyber transformation program 
• Deliver cyber resilience capability uplifts in areas such as executive training, incident response preparation and business continuity planning
• Deliver specific projects in your cyber portfolio that you may be struggling with
• Rebuild and strengthen your cyber capabilities post cyber-attack
• Provide cyber assurance to meet a range of internal and external demands including Section 166 regulatory reviews
• Engage your executive team, Board and operational stakeholders on how to manage cyber risks effectively and increase your cyber resilience.