Cumulative Effect

Historically, cyber security was always a “poor relation” in the eyes of the majority of Boards and CEOs, considered inferior, less important, or not as well-regarded as other issues or compared to them and treated as an annoying cost centre requiring more and more money that could potentially have been spent “better” elsewhere. This is a result of inertia, a cumulative effect of multiple factors and, more importantly, a lack of understanding of how the landscape has changed in the last 25 or so years.

So, what can Board Members and CEOs do to improve the organisation’s cyber security posture? They can do a lot of things!

To start with, they need to recognise and acknowledge the inherent insecurities of the Internet, on which organisations’ business is built today. By doing this, they will start thinking in the right direction (e.g., “we live and operate in a high-crime area”). They may start focusing on the strength of the domain/subdomain and certificate management processes and ensure that they are bullet-proof.

Secondly, they can look at expanding the organisation’s KPI to include cyber security with carefully and correctly selected KPIs (like, for example, year-on-year decrease in the complexity of the organisation’s IT ecosystem). They can also consider their approach to the use of unmanaged by the organisation devices (like BYOD devices and home computers).

Thirdly, they can have an additional lens to look at the business cases by introducing “cyber security risk-reward” analysis (oh, isn’t this just another KPI?). This will help with the way they look at the digital revolution. It will also enable looking at the agile approach from a different angle, and, possibly, reconsider its use. It will also help with the containment of the SaaS sprawl and shadow IT.

Then, they can ensure that the organisation has a full understanding of the shared security responsibility concept and ensures its correct implementation and management.

Another area they can impact is understanding (and management!) of the supply chain cyber security risks (and dependencies!) across all (not only IT!) vendors and service providers. They may put more attention to who (and how) is managing the organisation’s DNS and what cyber risks this poses to the organisation. This may also push them to start thinking about the organisation’s commitment to the use of the “digital monopolies” (like, for example, Microsoft or CrowdStrike).

They may at last recognise that Compliance ≠ Security and that as much as a proper implementation of the chosen standard(s) and framework(s) may (or may not) improve an organisation’s cyber security posture, it does not offer any guarantees about the actual cyber security posture of the organisation.

Finally, they may get out of the fear of missing out (FOMO) trap and start looking at AI adoption through a cyber security risks lens and start thinking about and planning the implementation of post-quantum cryptography.

This book is an attempt to be a “wake-up call” and a call to action.