Cyber Security
Make digital risk part of the board discussion
R By Thomas Fikentscher, Regional Director, ANZ at CyberArk
WATCH HERE
18 | Cyber Risk Leaders Magazine
isk is part of doing business. Investing into a new mining facility or launching into a new vertical – in fact, almost every strategic decision by an organisation – carries a degree of risk. It is understood, assessed and weighed up against potential outcomes before a decision is made. Why then is cybersecurity’s role in positive business outcomes still not widely or well understood in Australian boardrooms? Every day we hear about businesses and government agencies being breached, often to a quite staggering degree. Now, we don’t often know the full story or extent of the problem until later down the line – sometimes years later. But the very fact that critical data and assets are constantly compromised tells us that a key aspect of the business hasn’t been properly risk assessed. This is not an issue unique to Australia; it’s prevalent globally. In fairness, there are some attacks that could not have been prevented. What we are learning from the US Senate's select committee on intelligence on last year’s attack on SolarWinds is that the degree of resources and hacker innovation can be overwhelming even for the best prepared organisation. Microsoft President Brad Smith estimated in testimony during the hearing that at least 1,000 skilled engineers were part of the attackers’ resource pool. But this is an exception. Most cyber attacks can be
prevented from causing severe damage to an organisation. Their mitigation is, in part, down to how digital or cyber risk is understood at the executive level. The level of understanding around this area would be less concerning if digital wasn’t an essential building block of so many key business initiatives. But it is key to so much. Huge focus and large investments are being made in digital transformation initiatives. Businesses are becoming more reliant on digital technologies to accelerate the pace of innovation, gain a leg up on the competition and improve business performance. As part of this push, they’re embracing DevOps methodologies, cloud-based services and on-demand applications to increase business agility and improve efficiencies. Meanwhile, advancements in artificial intelligence, the internet of things (IoT) and robotic process automation (RPA) are helping enterprises transform raw data into meaningful insights and improved productivity. All this, of course, increases the organisation’s exposure and potential risk levels associated with an attack on digital infrastructure. COVID-19 is in part to blame for this; there has been such pressure to digitally transform in a matter of months rather than years, that certain aspects that would normally be risk assessed, have fallen by the wayside. Digital risk is one of them. What we see at the executive level isn’t an unfamiliarity with digital risk conceptually, but a lack of widespread
