Cyber security is invisible foundation of modern organisation

CEOs recognise the dangers, but how to respond?

This is not to say that businesses and their CEOs underestimate digital developments. On the contrary, the CEO Survey shows that CEOs recognise the dangers and realise that they need to take action. But I think many CEOs have lost track of the ongoing rapid technological innovations and don't know exactly how to respond to protect their organisations.

Great need for qualified cyber specialists

There is a great need for qualified staff in this field in many organisations. Specialists who understand how cyber criminals work, who can look beyond silos within the organisation and who can detect and combat cyber attacks using innovative technology and tools. It's good to note that CEOs are listing the availability of key skills as second on the list of concerns and threats to their organisations. That's something I definitely agree with.

Unfortunately, the number of people with the desired skills is currently limited. And those who do have these skills often work at large challenging platforms like Google and Amazon and not in the risk departments of, say, banks or energy companies. In terms of upskilling, there’s still a lot to be done. In the meantime, cyber criminals are not sitting back and waiting.

The next crisis could be a major cyber crisis

The COVID-19 crisis and forced working from home are not helping to improve the cyber security of organisations and at the same time the risk has increased. Managers are losing sight of their staff to some extent and the bond between employees and the business for which they are working is becoming weaker. This can increase the likelihood of errors and involvement in fraud or even cyber attacks.

These are potentially ingredients for a dangerous cocktail, which I believe could lead to a major cyber crisis. I'm not just talking about cyber criminals stealing your savings, but also about shutting down financial payment systems or deliberately disabling energy company facilities. Businesses and institutions are currently insufficiently protected against such a threat. 

Four recommendations for CEOs

 With this in mind, I recommend that CEOs do the following:

• Invest in your IT and cyber security departments

Investments seem the obvious choice, but all too often I see that only the essentials are chosen. At some banks, for example, there are a hundred people working on credit risk and only a handful on cyber risk. And they have to take on gangs of cyber criminals who do nothing but hack all day long. Bearing in mind the pressure to cut costs, investing means making choices. Don't be afraid to reconsider the fundamental principles of risk management so you can keep up with new cyber and technology risks.

• Invest in your staff

As well as recruiting new staff with backgrounds in coding, IT architecture, cyber crime and psychology, it is important that you upskill or retrain your current staff in terms of ‘hard’ technical skills and expertise. But also to ensure that they develop a different mindset, so that you can do more in the way of future-proof risk management. The present times call for people who can deal with complexity and uncertainty. People who understand the entire value chain of a business and can properly respond to incidents and possible attacks.

• Look beyond the boundaries of your organisation

It is not only important that your own systems are properly secured, but also those of your suppliers and the businesses with which you collaborate. Hackers are increasingly trying to break into large companies using this detour. Get to know the ecosystem in which you operate and work only with organisations whose security is up to standard.

• Monitor the human aspect

The increasing use of technology poses a threat to corporate culture. Prior to the COVID-19 crisis, it was already clear that organisations must do better to maintain the human dimension. The pandemic, working from home and the growing emotional distance between organisations and their employees once again emphasise this need. Especially in times like these, it is vital to maintain a good cyber security culture. Continue to encourage and increase your staff's awareness of cyber risks.