Over the past year, generative AI has swept across the business landscape, igniting boardroom discussions about its application and potential. The National Cyber Security Centre (NCSC) has warned that AI will almost certainly increase the volume—and heighten the impact—of cyber-attacks over the next two years, and there is a growing recognition of the importance of bolstering boardroom engagement with cybersecurity strategies.
Fortunately, many boards are already making big strides in this area, laying a solid foundation upon which they can continue to build and strengthen their defences against evolving cyber-threats. As recent high-profile cases demonstrate, cyber-attacks can be crippling for targeted organisations.
Library learning
The British Library, for example, will require millions of pounds of investment to rebuild its digital services after a recent attack. To drive awareness and education, and to help protect other organisations from a similar fate, the institution published a review of the incident.
Board members are aware of this risk: according to Harvard Business Review, 65% of board members believe their organisation is at risk of a material cyber-attack within the next 12 months. What’s more, boards are increasingly involving themselves in significant proactive efforts to increase cyber defences.
This has taken multiple forms, including education, certification through organisations such as the National Association of Corporate Directors (NACD), and becoming more hands on with the chief information security officer (CISO) role.
This has been a big positive shift over the past ten years from the days when board members were often passive toward cybersecurity because they viewed it as a specialised topic. Cybersecurity was often left to the chief information officer (CIO) and CISO, and strategic planning for cybersecurity was a siloed organisational issue.
So what lessons are there today for boards looking to follow this growing trend and become more active players in managing the evolving cybersecurity threat? Four key steps stand out.
1. Know that it’s not ‘if’, but ‘when’.
Despite 76% of board members believing that they have made adequate investments in cyber protection, successful cyber-attacks still can, and do, happen.
And from the moment a threat is detected, it’s already too late to strategise a response to the attack. Therefore, it’s critical for organisations to have a plan in place before any incident so that teams are equipped to handle breaches effectively when they do happen.
The board has a valuable role to play here. First, they should ensure that their organisation has implemented a robust framework that validates that the team understands how to react to a cybersecurity incident, emphasising what’s expected of them during these events.
Part of this process includes identifying what data needs to be protected, defining what constitutes a significant incident, and outlining the protocols for notifying the board of directors and appropriate regulators.
Another critical aspect of this strategy involves outlining the appropriate aftercare measures. Research shows that one in seven employees involved in a cyber-attack display clinical trauma symptoms, and it’s important that leaders understand the professional and emotional ramifications of cyber-attacks on the organisation, and establish guidelines to provide support during and after these attacks.
2. Ensure the right leaders are steering the ship
Leadership is an often intangible but always crucial ingredient of business success, especially in high stakes environments. Boards therefore need a clear approach to ensure they hire the right people to navigate the complex cybersecurity landscape. When evaluating candidates, boards must have a clear vision of the ideal person for the role and the skills they should bring to the table.
Ensuring that the candidate has the necessary technical expertise for the role is, of course, important—but so too is being able to communicate cybersecurity matters effectively, enabling the board to fulfil their duty as the protector of business operations risk.
Today’s cyber-threat landscape requires every employee to recognise and act on cybersecurity risks to some extent. According to Netskope’s Cloud and Threat Report, bad actors most commonly gain access to their victim’s systems via social engineering such as phishing emails, rather than brutalising the systems themselves.
Employees, therefore, serve as a key line of cyber defence. This means that teams need the right training to be able to spot and avoid threats. It’s crucial for organisations to appoint the right leaders to drive this education and awareness, and to instil a cybersecurity-first culture.
3. Understand cybersecurity is a business investment
Businesses are, at a time when many budgets are stretched, already spending significantly on cybersecurity: this year, 69% of IT decision-makers reported increased cybersecurity budgets.
Meanwhile, AI is driving a need for additional spending. AI functionality is being implemented across industries, offering numerous benefits to users. However, it also introduces new security frontiers, putting data at risk. Bad actors have been spending big on AI too, using it to accelerate their hostile actions and explore new avenues of attack.
Businesses should see their response, also backed by AI, as an investment, and cybersecurity as a business enabler. The traditional view is to see it as a cost centre. But data has become an invaluable asset to protect, whether IP, source code, and personal or customer information. Security teams are already tasked with ensuring the secure use of cloud applications.
The principles and tools they employ, such as zero trust, are equally applicable to the secure adoption (or blocking) of AI applications. By applying the same proactive approach to cybersecurity as they do to AI, boards can recognise that investing in secure network infrastructure and operations can have a transformational impact on their business.
4. Embed cybersecurity into your organisation
Businesses must adopt a comprehensive strategy to embed cybersecurity principles across all levels of the organisation. While security teams bear the primary responsibility for cybersecurity operations, every member of the organisation plays a role in stopping a cyber-attack.
To ensure that every employee is aware of their role, businesses need to integrate cybersecurity awareness into employees’ daily consciousness through education, and guide their daily interactions using zero trust security architecture. The board can play a particularly valuable role by ensuring that this includes management themselves. Additionally, the board must ensure that regular vulnerability checks are part of the cybersecurity framework.
A board’s oversight role is to ask business critical questions—and data has taken its place as critical for almost every organisation. While the technological landscape evolves quickly, organisations can ensure they are prepared for and able to defend against threats when they come by continuing to prioritise cybersecurity at a board level.
Shamla Naidoo is Head of Cloud Strategy & Innovation at Netskope