Jonathan Lee, UK Director of Public Sector, Sophos, discusses the responsibilities of a cybersecurity board leader and offers his top tips in light of this after conversations with public sector IT teams.
It’s no secret that security teams are fighting a constant battle against cybercriminals. Their growing entrepreneurialism, combined with evolving techniques and the crypto industry, means they are both more successful and more prolific than ever before – not to mention the fact that capturing cybercrooks operating around the globe is a huge challenge. In the public sector, this challenge is even greater as teams are forced to work with limited budgets and less resources.
In my job, I often speak with public sector organisations about what they can do to strengthen and mature their defences. Sadly, this often seems to be in the wake of a serious cybersecurity incident, as opposed to before one. And this isn’t the fault of the security teams in place. Quite often they have pleaded their case to the heads of the organisation for budget to acquire the tools and talent they need before an incident happens. Sadly, these calls fall on deaf ears.
What seemed like a cost saving measure, ends up resulting in a financially crippling attack – not to mention one which also impacts negatively on critical public services. In our latest State of Ransomware report, we found that the average cost of remediation was US$1.4 million and the average recovery time from a ransomware attack over a month. For those relying on crucial public services any level of disruption is too much, but a month can have severe consequences for the most vulnerable in society.
This raises the question of how security teams within the public sector can petition for budget and support for a threat that their business leaders don’t necessarily understand?
Well, the NCSC has increasingly been talking about the need for security to move out of the IT department and into the boardroom to ensure that a good cybersecurity posture is one of the key focuses of any business. But what exactly would the responsibilities of a cybersecurity board leader be?
Here are my thoughts after conversations with public sector IT teams:
1) Cybersecurity needs to sit across all functions – not just within IT
Often cybersecurity is a function that sits within IT, despite having contrary objectives. The IT team, naturally, is aiming to drive operational efficiency, streamlining processes and enabling employees to complete their work as easily as possible. But efficiency doesn’t always go hand in hand with security. In fact, a robust security posture adds to complexity and can impede productivity, as well as the IT team’s Digital Transformation strategy. A much more natural fit for the cybersecurity function is at board level, where they are able to bake security into the objectives of the business and help foster a security-first culture.
2) Understanding the inherent risk of the business
Every organisation will have some degree of risk to it – whether that’s in the purpose of the business, the network or supply chain it sits within, the technology infrastructure it has or, indeed, the processes implemented. At the board level, many organisations will assess and forecast for risks such as economic downturn, natural disaster or a product fault, for instance. However, evaluating cybersecurity risks is often overlooked and invariably, results in vulnerabilities or weaknesses in defences being exploited. From a public sector perspective, a board-level security advocate would evaluate the services provided by the organisation to understand where vulnerabilities may be, which services would be most impacted and how to mitigate this. It’s only through this level of auditing that an organisation can understand its true threat level and therefore, the standard or investment in cybersecurity defences required.
3) Keeping security in step with transformation
As public sector organisations look to drive efficiency with service provision, Digital Transformation plays a key role here. While many are still working with legacy systems – which present their own risk – a Digital Transformation plan that doesn’t factor in security will only increase vulnerabilities. IT will look to invest in technologies and solutions which streamline internal processes and allow the businesses to run productively, board level executives will be keen to do this in as low-cost a manner as possible, while security will be keen to ensure that they’ve dotted all the ‘Is’ and crossed all the ‘Ts’ when it comes to baking security in. A board level security advocate will ensure that the organisation’s cybersecurity posture and maturity matches the level of transformation. This means having the right skills and training in place to adopt technology and implement it in a secure way, while also ensuring it works alongside other IT infrastructure to create a robust perimeter around the business.
In short, a cybersecurity person on the board would look at security from a structural, procedural and technical level, to help the business achieve its goals while protecting it from malicious actors. With security siloed to IT, the risk is that security becomes an afterthought and an add on, until it’s far too late. At that point, the social and financial costs are far greater than the cost of protecting the organisation.
