One of the ongoing security debates is about how to get the board of directors engaged in the security of their businesses. The recent article “Ignorance on cyber security no longer an option for boards” is the latest in a long line of reports saying boards must do better. Two things struck me reading this particular article.
First, the justification of why a director needs to spend more time and money on security is weak – a common issue in such articles. In this case it is largely based on failing regulatory commitments to the Australian stock exchange. Directors get investment cases all the time, and have to balance resources across all proposals; generally based on three criteria:
- Do we have to do it? (legal / regulatory commitment)
- Does it lead to a reduction in business costs? (efficiency etc.)
- Does it lead to selling more? (new product, retain customers, better competitive position…)
Currently, security business cases largely focus on the first bullet and make the second bullet worse (unless remedial action in the event of an attack is taken into account – the “insurance” argument).
The “selling more” case is often based on the risk that you will lose customers if systems are shown to be untrustworthy; but evidence of this actually happening is scarce.
As an industry we have to be better at making business cases – many have called for this before, so no amazing new revelation there.
The second thing that struck me about the article, and other similar articles about how boards must do better, is they focus on the governance of the business itself, and protecting the business’s own IP and customer data.
Few articles talk about the security of the product of the business. Recent press about failures in automotive security could be a symptom of this.
Many automotive OEMs are highly protective of their business plans, and put controls in place to protect the design of new vehicles in development for fear of competitors getting a sight of what they are up to.
However, the security of their product is being significantly questioned. This is also a core part of the security strategy the board has to consider – are the right internal polices and processes in place to implement security in the development of products?
Sadly few of the “board must do better” articles seem to cover this aspect. Perhaps they should, as this could strengthen the “selling more” part of the business case.