By Akshat Gairola, Partner, Cybersecurity, BDO India
Digital Transformation is sweeping across industries as organisations walk at their own pace to become completely digital. The growing relevance of cybersecurity is tied to this transformation, with companies seeking to streamline processes for efficiency, optimisation and transparency. Risks and their mitigating tools have evolved, pushing security concerns beyond IT departments to the boardroom. Previously, security issues solely fell under IT’s purview. Today, these concerns are brought to the board for their attention and guidance.
Regulations, compliance requirements, industry best practices, and established frameworks offer guidance to organisations, dictating expectations from leadership down to every individual. Companies, depending on their scale, are acting, but determining the sufficiency of these measures remains uncertain. Companies need to ask themselves, is implementing a technological solution sufficient? Are discussions about risks at the board level adequate? What additional steps or measures are necessary? What challenges do we face? Cybersecurity protocols must begin from the upper management, necessitating thorough discussions at that level, supported by comprehensive data for informed decision-making.
While many organisations, especially those under regulatory compliance, adopt this approach, boards or committees, primarily focused on business interests, might lack technological expertise and heavily rely on the perspectives of their security and internal audit teams. An advocate should be included of a senior independent industry expert on the board, possessing a deep understanding of the subject matter. This individual could serve as the board’s informed evaluator, interpreting the data presented by the security and internal audit teams for independent decision-making.
There is also a need of an internal audit team by either in house capabilities or empaneling cyber security firms who can help them in auditing their operations team (Cyber Security Team led by CISO). In absence of such capabilities, the internal audit team would not be able to bring an independent view on the cyber security operational status and their report tabled to the board may not give a true picture.
It’s crucial for the board to foster a culture where an audit finding isn’t perceived as fault-finding within the cybersecurity operations team. Instead, it should be seen as constructive feedback, empowering the security team to enhance and address vulnerable areas within the ecosystem. It's crucial for the board to instill a culture among their business teams, driven by their leaders, that emphasises the responsibility of end users.
While businesses focus on numbers, it’s essential in today’s world to prioritise security. A single mistake, like clicking on a phishing email, can grant attackers access to the company’s core assets. When business leaders prioritise it, every team member comprehends its importance. This significantly aids the Cyber Security team, as despite advanced technologies and efficient processes, there is room for human errors.
Therefore, continuous training on cyber security responsibilities is imperative. Promoting this atmosphere fosters integration missing in today’s organisational landscape.
Disintegration within an organisation creates vulnerabilities, and when attackers identify these gaps, they exploit them. Breaches don’t always occur due to technological weaknesses; they can exploit human errors or processes, extracting information for a successful cyber-attack. Rolling out technology often faces initial hurdles in stabilisation and goal achievement. While tech solutions offer standard use cases, they serve as a foundation.
Organisations must tailor their own use cases, considering their ecosystem, user adaptability, and ongoing contextualisation to meet objectives. As someone rightly stated, cybersecurity acts as brakes, not halting progress but navigating the complexities of our world.
One of the prime challenges that any organisation is facing is that users are no more bound by physical boundaries. While there are products available to mitigate this risk, it’s important to note that a single product might not solve all issues and that a combination of products is often necessary to address multiple risks. However, explaining the need for multiple products instead of a single comprehensive one to senior stakeholders can be challenging for the CISO and security team. Cybersecurity is seen as a cost center but in order to run a secure business, one has to invest safety. As mentioned earlier, a senior representative on the board who understands the subject well will be able to help the board make an informed decision in consultation with the CISO, internal audit in the best interest of the organisation.
The challenges across industries are quite similar, although certain sectors may face heavier regulations than others. Some organisations are larger while others are smaller, yet each must strike a balance and devise a practical roadmap. Implementing cybersecurity measures can be financially burdensome for smaller companies in their growth phase. In my opinion, the government should offer these smaller entities benefits allowing them to claim full or partial tax deductions for such implementations until they reach a size where they can afford these expenses from their business revenue. This approach would incentivise smaller companies, enabling them to establish a stronger cybersecurity posture from the outset. Ultimately, this not only benefits the individual company but also fortifies the entire ecosystem, making it harder for attackers to exploit such entities for their malicious purposes.