Cybersecurity: the board dilemma

The massive data breach at Equifax and the Target ended the careers of their Chief Executive Officers, who had each served in these companies for more than three decades. This indicates the kind of threat cybersecurity poses to those helming large organizations.

At Synergia Conclave – Security 360, experts from the field discussed how a company’s top management can address cyber threats.

Background

Equifax holds data on more than 820 million consumers as well as information on 91 million businesses. Twice in the company’s history, it has been fined for violating the Fair Credit Reporting Act by the Federal Trade Commission. On September 2017, the company announced that a large-scale data breach had taken place in the company. It stated that an unauthorized third party was able to gain access to Equifax data on as many as 143 million Americans. This is nearly half the population of America. In the wake of this controversy, Richard Smith, the former Head of Equifax resigned from his position.

In 2013, Retail giant Target witnessed a cyber breach that affected more than 41 million of the company's customer payment card accounts. The company in 2017 agreed to pay an $18.5 million multistate settlement, the largest ever for a data breach, to resolve state investigations.

Analysis

At Synergia Conclave – Security 360, experts from the field discussed how a company’s top management can address cyber threats.

Tobby Simon, Founder of Synergia Foundation led into the subject by asking - What is cyber – is it really a threat, or is it something to be looked at like any other risk mitigation exercise? Many a time mitigation is done after an event happens. The second issue, he focused on is ‘’If cyber is under threat, what are we trying to protect?’ Is it intellectual property, digital assets or information. The answer we get from many companies is – that they are trying to protect networks. The third point he focused on is that cyber goes well beyond networks. The maximum surface area of networks in a cyber security narrative is only 18% - this was what Synergia understood from their research in 2015 – that 80% of all cyber threats lie outside networks. He admitted to being a bit provocative in the statement - ‘Basically if you get the best CIO and protect your networks 100%, you still are exposed 80%’. The last problem he pointed out was that security challenges are always built on the expense line, not on the revenue curve. He compared the issue of cyber threats with a boxing ring. If one is in the boxing ring intending only to defend oneself, how many punches can he take?

Ajay Nanavati, Chairman, Syndicate Bank remarked that his experience captured the essence of three different perspectives -  perspectives were coming from his experience of a global MNC, Indian public sector banking perspective and from a midsize manufacturing industrial perspective. One of the biggest issues is Intellectual Property. Part of the issue is that on the board level there is a lack of awareness about the issue. Very rarely, if ever do issues of cybersecurity crop up at the board level. He reminded that any chain is only as strong as its weakest link, and highlighted the importance for boards to understand the risk that cyber poses to companies. He remarked that there should be a representation at the board level of individuals who understand the cyber issues. Then, resources to ensure better cybersecurity need to be allocated, and readiness must be built in to the system. He warned against the tendency to have a ‘silo-ed’ approach – but the reality is that this cuts across multiple silos, he said.

Deepak Kumar Hota, Director & Member of Board, BEML Ltd, said that it was possible to think about cybersecurity in a ritualistic way and put the onus on the IT guy, but today you cannot guarantee that getting the best of technology or manpower will keep you safe in cyber. No matter how good your plans are, if there is an issue with a lack of coordination, then you are at risk. What is the tolerance for ambiguity, that top board members have – he remarked that this was an issue of mindset. The second aspect he touched upon was that cybersecurity is set to be a trillion dollar industry by 2020. This meant that there will be a shortage of skilled people working in this sector. He was of the opinion that we are not geared up to meet this demand. The last point he highlighted was that the issue of cyber cuts across HR, IT, Finance, Business – in this scenario, when a company is handling a lot of customer data, which could be vulnerable to cyber attacks. How are contracts with customers going to be affected by the possibility of cyber threats? He said, “First of all in the board room, you don’t admit that you don’t know, then the more you get to know, the more scary it is, the more scared you get, the more you have kneejerk reactions like spending money, hiring the best of consultants…but it would be hard to get very definite responses from the board room.”

Krishnakumar Natarajan, Co-Founder, CEO and Managing Director of Mindtree, shared from his own experience – the dilemma within his own board about how cybersecurity needed to be addressed, and secondly how to see this issue in the context of the services that an IT company provides. His first observation was that – many boards think of this as a technology issue. But this is not so. This is one thing boards need to be very clear about. The second point is ‘why is this so necessary’. Every company wants to connect to its customers through online channels. So, the notion of an organization with a physical centre is no more valid, because companies have grown beyond such boundaries. New models of work are bringing in new risks, and boards need to be concerned about his. Boards usually talk about external risks, but 70% of data leaks are internal, is what research shows. He touched upon why boards need to be more concerned about the issue – that a cyber-attack is a huge reputation risk.

Assessment

Our assessment is that Cyber threats are  assymetric and goes beyond network. We believe that corporate boards must be fully cognizant of the existential nature of such threats that can destroy both business and legacy that promoters would have painstakingly built over the years.