Mikko Hietanen, Board Director, BAE Systems Applied Intelligence gives his views on how to get buy in from the company board on cyber security investment, from his perspective on the board of one of the world’s largest defence and cyber intelligence companies.
Digital attacks can threaten an organisation’s global reputation and at its very worst, its ability to operate, making online security a key business governance issue. Business leaders who relegate security to the IT department risk significant business damage: the results of a successful attack can include financial loss, loss of Intellectual Property (IP), Privacy Act non-compliance and sabotage.
Company Boards need to recognise that a cyber attack will happen at some stage and that cyber security is a matter for the entire business. The organisation’s IT department alone is unlikely to effectively protect every digital asset of the company without executive support. A 2014 World Economic Forum and McKinsey report said cyber resilience can only be achieved with “active engagement from the senior leaders of private and public institutions.”
BAE Systems Applied Intelligence Board Director Mikko Hietanen said: “Cyber attacks are operational business risks, not just IT risks. Most boards are not made up of security experts, so it is crucial for IT and senior executives to frame the problem in terms of those business risks.”
For effective governance and accountability, businesses should implement processes to identify attacks early and then respond to these in a structured and repeatable manner, with a clear delineation of responsibility.
“Unfortunately, traditional methods of cyber security, centred on trying to block a known threat from entering the IT estate, don’t always work; companies are finding their networks and assets just aren’t protected sufficiently, and becoming frustrated with the issues that slip past their traditional defences,” Mr Hietanen said.
“Investing in cyber security is ramping up globally, but traditionally it has been somewhat of an afterthought for boards.
“Take M&A for example; if your company is thinking of acquiring another company, cyber security capability might not have traditionally been part of the due diligence process. Boards are now learning that it needs to be part of the acquisition strategy, because if a company’s IP and data have been compromised, there isn’t much value in acquiring it, is there?
“Cyber criminality used to focus mostly on the financial sector, but has widened significantly in the past few years.
“Boards that have never had to focus on cyber security are now finding themselves in sticky situations. Any company that has large swathes of data and personal information is a target. And companies with significant IP to protect, and who have managed to find efficiencies their competitors haven’t, are open to industrial espionage.
“It’s important to widen the focus to unknown threats, new threats, and on understanding unusual behavioural patterns identified in data, otherwise known as threat intelligence. Threat intelligence gives us rich information on new malware, previously unknown perpetrators, trends that are emerging and more. This can fuel our analytics and provide a better understanding of the threat environment.
“Not only companies, but also Governments, are increasingly realising that they need advanced threat detection capabilities. At the heart of these is solid and comprehensive threat intelligence. BAE Systems Applied Intelligence is a significant contributor to both the UK and US Governments, and works with a number of agencies and departments here in Australia.
“Because a company’s security is only as strong as its culture, it is up to the executive leadership to set the standards and expectations that will help the entire workforce maintain strong security measures. To do this, companies must allocate the right resources, which can only happen when the board fully supports the need for an effective security posture.
Creating a strong business case for security relies on measuring and articulating the potential return on investment (ROI) appropriately.
“Having a solid business case, and explaining ROI in terms of business impact is necessary to achieve buy-in for critical security investments. It creates a bridge between the business and technical teams, giving them a common language and understanding.
“Once this happens and the business risks of inadequate cyber security are made clear, companies are more likely to successfully implement effective, appropriate and scalable security measures.
“This is becoming a boardroom topic, and boards are looking at cyber in a much more strategic way.
“The benefits of doing so are far-reaching, extending beyond simple operational continuity to protecting the company from financial losses, litigation, fines and more,” he said.
Mikko Hietanen is on the board of BAE Systems Applied Intelligence, part of BAE Systems; a global defence, aerospace and security company. He is visiting Australia meeting with key clients and businesses and sharing his global expertise on combating cyber security and financial crime.
BAE Systems Applied Intelligence delivers solutions which help our clients to protect and enhance their critical assets in the connected world. Leading enterprises and government departments use our solutions to protect and enhance their physical infrastructure, nations and people, mission-critical systems, valuable intellectual property, corporate information, reputation and customer relationships, and competitive advantage and financial success.
 Risk and responsibility in a hyper connected world: Implications for enterprises, David Chinn, James Kaplan, and Allen Weinberg, McKinsey&Company, January 2014