Security is now a critical boardroom topic. The rise of high-profile security breaches is leading regulatory bodies and shareholders to increase scrutiny of the CEO and boardroom. Responsibility and accountability for cyber risk are now falling directly on the CEO and board of directors.
Sandra Ng of IDC Asia Pacific sits down with Connected Futures to discuss what CEOs and board of birectors must do to secure the enterprise. Watch or read the interview to gain Ng's insights.
What are the top security issues that organizations in Asia Pacific are currently facing?
There are many security challenges that organizations in Asia Pacific face, but I’ll just share a few common ones that I see and experience in the marketplace.
The first is, generally, the lack of awareness among employees, and I take phishing as an example. Employees can, without knowing, give out information that is actually very, very important to the organization or subject to security risk in terms of the organization’s network.
The second would be cybersecurity, which is currently a very hot topic, and this is with regards to more and more organizations getting into the mobile and online commerce space.
The third is the impact of security as a result of digital transformation, which is a critical component for many, many organizations today.
How can CEOs drive transformation and innovation to meet the needs of growth and agility while balancing the concerns and precautions of security?
Well there are many approaches but there is no silver bullet.
I mean you can control, you can try to prevent, but no organization is 100 percent security-proof or security-risk-proof in today’s marketplace. But I would say there are two very big components for head of security, head of IT, or even just the business executive within the organization.
The first is governance framework and process. It is important for organizations to have a very well established governance framework so that the employees, as well as the business partners that they interact with across the business process, can actually come together in the compliance in terms of the security and the risk-management requirements.
Now, the second will be about agile development, which is obviously very critical in a hyper-digital era. So the ability to balance governance and agility are going to be critical for every organization whether you are in the private sector or the public sector today.
How can the CEO bring security into the boardroom? What are the conversations the CEO needs to have with the board of directors? And how does a CEO know that he/she is making an impact in better protecting the organization and its assets?
For the board of directors, the topic of security is becoming increasingly important but the value that the board of directors place on security will depend on the organization.
And there are various things that it considers, obviously all leading to the shareholder value at the end of the day. So we would include brand equity, integrity, and trust as well as obviously, the potential financial loss as result of security risk or exposure. So these are all going to be important elements.
From the CEO perspective, the CEOs calling the attention on security to the board of directors, again, will really depend on the kind of business and the digital transformation journey that the organization is undertaking.
So the more exposed the CEO and its team of management feel about security, then obviously the more important it is to bring that conversation to the board.
And many times, the head of IT or the CIO and in some cases, the CISO—the chief information security officer—if that individual does not report to the CIO, will actually need to be called upon to the board of directors meeting to make sure that they outline the risk, the potential and the compliance, or the solution to really execute it to protect the organization.
What role should a board of directors have in driving company, industry, and global governance to be good corporate citizens?
Not many board of directors today are fully aware of security implications and the options out there.
So I would say that the first thing that is really required for board of directors is a working knowledge of the security ecosystem.
And when I say the security ecosystem, I mean basically what are the potential risks out there, what are the commercial options that can be made available to the organization, and what can actually be done in order to protect the firm that obviously sits on the board.
Now for many of the board of directors, asking the right set of questions to the CEO, to the senior management team as well as the head of IT or head of information security will be critical to ensure that protection and trust and integrity is kept within the organization.