The digitalisation of the economy is only increasing – if anything, at great speed – meaning cyber risk is also here to stay. Not surprisingly, business surveys consistently show that cybercrime, and its impact on brand and reputation in particular, ranks among the biggest concerns for chief executives.
Companies can harness technology to contain costs, improve business processes, sharpen product and service offerings, and deepen their knowledge of customers. But there’s a flipside to this digital Eden: heightened exposure to potentially catastrophic cyber-breaches.
The frequency of cyber-attacks and internal cyber-bungles, coupled with their potential to cause companies deep and perhaps permanent harm, is prompting a rethink of how companies respond.
Telstra’s chief information security officer, Mike Burgess, and chief risk officer, Kate Hughes, believe the key to creating an effective cyber-risk management response starts with recognising that cyber security is not just an IT risk, but a business risk.
“Cyber risk should not be seen as something separate to be managed differently,” Hughes says. “We’ve developed an overarching governance framework which recognises that cyber risk exists alongside other business risks.”
Cyber security is a business risk first and foremost, which makes it a leadership issue. That starting point is absolutely key to an effective cyber strategy.– Mike Burgess
A seat at the table
When wise heads gather at the table to discuss the growing problem of cyber risk and data security, that table is located not in the IT department but in the C-suite.
Burgess insists that as long as cyber risk is considered an “IT issue” company-wide buy-in and even C-suite buy-in will be difficult to achieve.
“People will say ‘this is a computer problem therefore it’s not my responsibility, we’ll leave it to the IT department’; that’s the biggest challenge organisations face when it comes to cyber security,” he says.
The way to address this, according to Burgess, is “the constant drumbeat of engagement”.
“Cyber security is a business risk first and foremost, which makes it a leadership issue,” he says. “That starting point is absolutely key to an effective cyber strategy.”
For cyber risk issues to be rigorously canvassed in the C-suite, Hughes adds it is essential to speak the language of the C-suite. This, apparently, is a skill Burgess has down pat.
“Mike engages in a truly commercial way with our leadership team – by that I mean he gets away from the technical jargon and doesn’t treat it as some kind of rare specialisation – he talks about it as a serious commercial business risk,” she says.
“It’s taking cyber risk out of the technical sphere and getting it to a place where we can talk about it in the same way we talk about privacy, business resilience or safety.”
Hughes says the challenge is no less real for her as chief risk officer. “CROs should not let cyber-security risk become something special and different,” she says.
“Risk is risk. Whether it’s digital or real-world, the trick is to apply the same thinking and rigour we do to other significant risks.”
Idea in brief
- Any company with stored data is at risk of potentially disastrous hacking
- Companies need to think about both prevention and response strategies
- Cybercrime, and its impact on brand reputation, is a big concern for any CEO
- Managing cyber-risk requires company-wide engagement