Why every board agenda needs a cyber conversation

Boards spend a lot of time asking questions. They challenge strategy, review financial performance, interrogate financials and revisit decisions that made sense six months ago, but may no longer make sense today.

Which makes one question from Jason Oehley, regional sales director at Arctic Wolf, particularly interesting: “Why are executives and boards not doing the same when it comes to their cybersecurity?”

In his view, the more digital organisations become, the harder it becomes to justify treating cyber resilience as something that sits outside of regular business discussions.

According to IBM’s Cost of a Data Breach Report, the average data breach in South Africa costs organisations more than R44 million. Yet, despite growing investment and greater awareness, cyber incidents continue to affect organisations of every size.

Oehley does not believe businesses are failing to take cybersecurity seriously. Most understand its importance and have invested accordingly. The question he keeps coming back to is whether organisations have the visibility needed to understand their risk.

“You can’t protect what you can’t see,” says Oehley.

At first glance, that sounds obvious. In practice, it points to a challenge many organisations underestimate. “Most companies struggle with understanding what they actually have in their environment.”

For many businesses, this goes far beyond keeping an inventory. Understanding exposure starts with understanding what the organisation actually has. Knowing where assets are located, whether they are being managed properly and whether security controls are being applied consistently has become just as important as detecting threats themselves.

Businesses have become significantly more digital over the past few years, and the way people work has changed along with them. Many organisations are now supporting environments that stretch far beyond the office, making it much harder to maintain a clear picture of everything that needs to be protected.

Over time, assumptions that once made sense can quietly become outdated. For example, a temporary change stays in place because a configuration is never revisited, and before long, different teams can have very different views of the same environment.

One of the consequences is that organisations have become very good at responding to problems while spending far less time reducing the chances of those problems happening in the first place.

“Everybody thinks because I have a security operations centre and I’m monitoring this, I’m protected.”

Monitoring is essential, but understanding that something has happened is not the same as reducing the likelihood of it happening.

Another challenge is complexity itself. “The amount of noise becomes overwhelming,” says Oehley.

Most organisations are not short of information. If anything, they are drowning in it. New technologies promise greater visibility, but they can also create more complexity, and teams are expected to make sense of huge amounts of information while balancing countless other priorities.

Artificial intelligence has added another layer to that challenge. Much of the conversation around AI has focused on productivity and efficiency, but its effect on the speed of attacks deserves equal attention.

According to current estimates, between 80% and 90% of attacks are now fully automated. Tasks that once required time and effort can increasingly be carried out at machine speed, allowing threat actors to identify weaknesses and exploit them far more quickly than was previously possible. “It’s become a game of speed,” Oehley notes.

Many of the processes organisations rely on today were designed for a world that moved much more slowly. Reviews happened periodically because people could reasonably expect to keep pace with change. Those assumptions start to look very different when risk itself is changing continuously.

In an environment where attacks are increasingly automated, the gap between the pace of risk and the pace of decision-making becomes critical. That doesn’t mean boards need to become cybersecurity experts. It does mean they can no longer assume the job is done simply because the right tools are in place.

Perhaps the more interesting discussion that needs to be had is not whether cybersecurity belongs in the boardroom, but why so many organisations still behave as though it doesn’t.

“Leaders are already used to challenging assumptions and asking difficult questions in every other area of the business. There is no reason cyber resilience should be any different. It should sit at the top of the agenda, alongside profitability and revenue discussions,” states Oehley.

It’s no longer a case of those who are protected are the ones with the biggest budgets or the longest list of security tools. They may simply be the ones who develop the habit of asking better questions.

Because, as Oehley puts it, “cybersecurity changes every minute, every second, never mind every day.” Maybe it’s time we started treating it that way.