Building Cyber Resilience At Corporate Board Level – Best Practice And Recommendations

Implementation of Cyber Resilience

The recent crisis in the economy with the failure of the high profile corporatehas illuminatedthespotfor the participation ofthecorporate governance. Being a corporate governance consultant to the company which is listed in the AustralianStock Exchange and ranked with ASX 200, it is my job to help the company build a better board. This will help the company to develop betterprocedures and practices that are applicable to the corporate and board’s secretary office regarding cyber resilience.This would assist the company in meeting the peer or/and national group norms (World Economic Forum, 2017).

The work and practices with the corporate strategy and the conventional counsel  in  context to the cyber resilience ensures the business organization to gain complete protection  of the procedures and practices of governance.This has to be doen as the needs of the organization has to be devised as a responsibility on my part being the corporate governance consultant (Vugrin & Turgeon, 2014).

Implementation of cyber resilience at thecorporate board level is essential and relates to themanagement ofrisk inthecyber ecosystem ofthecompany. This will not be achieved with the conventional information security. Risk management in regards to thecyber resilience has to be an ongoing process of identification, assessment and response to the risk. According to Abdullah, Ismail & Nachum, 2016,the fact that the global digital environment of thecompany comprisingof the digital information technologies constructs the key nervous system on which the economic and social activity depends has to be considered.

The internal operation and communication of the company with the suppliers and the customers need to be revolutionized with the developmentof thecyber resiliencewhich is necessary for the reinvention of the company.As the corporate governance consultant, the fact that cyber resilienceenhances thebusiness operation, effectiveness of the operations, and the trust that the company has on its internal structure needs to be worked upon. It has been observed that breach in the cyber system of thebusinessorganization would result in stealing of intellectual property, personal data and technically confidential information of the company.  This further leads to the disruptionof the critical systems of businessof the company. Theimpact can be very dominating and damaging to the reputationof the company and loss of competitive advantage.This can further result in loss of competitive advantage for the company (Agrawal & Cooper, 2017).

By integrating enhanced cyberresilience in the internal structure of the company, important measures foraddressingsuch risks can be done effectively. It provides the companywith the confidence for exploitation of the digital aspects of delivering the opportunities for innovation and growth on which the company can depend (Al-Janadi, Rahman & Omar, 2013).Such decisions of the company depend on having a very informed status ofthecyber resilienceacross the company form theboard to those accountable for managing InformationTechnology andall theemployees who happen to haveaccess to Information Technology.

The strategies to integrate cyber resilience in the internal structure of the companyneeds tofocuson the view oftheBoard which describes cyber resilience to be more a matter of culture and strategy thantactics (Westphal & Zajac, 2013).Thecompanyrequires the individuals atthehighest levelsof the management for recognizing the significanceof proactively mitigating the cyber risks. It is theresponsibilityof every individual in the company for cooperating so as to ensure enhanced cyber resilience whilethe leaders of thecompanyhave to devise the strategy leading tothe cyber resilience in the strategy of the organization (Armstrong, et al., 2015).

Counter to the Cyber Risks

In order to counter the cyber risks, the company needs to take theadvantage of theopportunities that are presentedbytheenhanced technological developments in network technology which is currently in the initial stages (Bell, Filatotchev & Aguilera, 2014).

The process of improving thecyber resilienceof thecompanywould integrate cyberresiliencesecurity and protocols and the best practices and policies which are mentioned as follows:

• All the directors of the companyneed to have the similar perspectives regarding the need of the Board to handle the matters of thecybersecurity in a way which is suitable to the footprint, assets, industry, people and geography (Coffee Jr & Palia, 2016).
• The company needs to engage its directors and the board in framing a team of cyber security or committee, or  both for handling the concerns and issues hovering around the aspects of cyber security as a part of theall-round management ofInformation Technology. This kind of technical team or committee needs toreport tothe Board of thecompany at least twice a year (Claessens & Yurtoglu, 2013).
• The corporate board of the company needs to integrate the responsibility on thecyber resilience andthe approach of the cyber security team.
• The board of the company needs to favourthe appointment of a director in the department of thecyber security on the board.
• The board of the company also needs to engage some ofthemembers of the board to be engaged in thepreparedness of education and training of cyber security and resilience totheemployees in the company (Tricker & Tricker, 2015).
• Further, the company at the Board level can integrate the tools offeredbythe World Economic Forum regarding the includingof cyber resilience which aim atimproving governance and strategy instead of standards and tactics along with the management o the confidential data and the internal businessoperations of the company. By integrating the tools and principles of cyber resilience the operation of the company can be enhanced.
• The inclusionof Boardprinciplesfor Cyber Resilience has to be materializedby thecompany which would enable the boardaction and to help the board in recognising their crucial role (Dimopoulos & Wagner, 2016).
• The company should incorporate the cyber principle Toolkit which has the10 Board principles associated with cyber resilience. This includes a set of questions which are devised forfostering a positive dialogue between the senior management and the board on the aspects of cyber resilience. These questionswill help the corporate board in implementing its role in the cyber resilience (Samra, 2016).
• The frameworkof board cyber risk should be included by the company that suggests regarding the review of the cyber risks which are needed to be done by the companyon a regular basis. This framework also ensuresthat they are also included in the review of other risks of the business. It happens to contribute to the overallprogramme of cyber security by providing the necessary informational aspectsfor prioritizing the management of actionsof cyber risk within the programme.
• Inclusion of board insightson theevolving risk in the technology tool needs to be incorporated by the company. This would be basically a document that presentsthe insights and guidelines that are applicable in any company. It would deal with the current shifts ofbusinessmodels ofthecompanythat arise with innovations associated with the unavoidable alterations in the risks and technology (Edmans, 2014). These guidelines and insightsare focusedin facilitatingthe discussions among the executive teams and board-level stakeholders regarding the cyber resilience. It also would assist the board members in developing strategy for the evaluation of new and innovative technologies (Ginena, 2014).

The instances wherethe useof cyberresilience has been put into practice in business organisations which can help the company is imbibing the protocols of cyber resilience aredescribed below:

• In the case of any retail company, the risk department is mostly accountable for complying with different policies and regulations, implementing with the continuity plans ofbusiness wherethere is anamalgamation with the Information Technology department for implementing the technical controls regarding the cyber resilience.  The information security manager needs to have all theinformation regardingthe preparation of the incidentswithin the risk department and is not willingforassuming the causes of the preventive controls (Khan, Muttakin & Siddiqui, 2013).
• In the various service sectors, it can be seen that the companies find it convenient to outsource all of the services of the Information Technology to alargerand more renowned service provider. The contract that is finalized is handled by thefinancial department of the company. The contract includes some of thespecific clauses regarding the assuranceof cyber resilienceof the systems of Information Technology wherethe data of the patients is held (Padachi, Ramsurrun & Ramen, 2017).
• Many company hasintegrated cyber resilience in its internal business structure which has helped the company in matching the capabilities and products  with the requirementsofthemarketin a more effective and safe way. These companies have also been able to provide services  by complying with the regulatory requirements in regards to cyberresilience (Larcker & Tayan, 2015). These companies have included theaspect of horizon scanning in its strategies of cyberresiliencewhich basically denotes to the systematicanalysisof informationfor identification of potential risks, threats emerging opportunities and issues. According to the company, true cyber resilience includesinnovation in providing the new services and products to thecompany byincluding enhanced securityand preparednessregarding alterations in data and information ofthe company.

The purpose of all these instances regarding cyber resilienceis to ensure the fact that the company can very conveniently deliver the strategy of its businessand the desiredoutcomes of businessby aligning the steps of the cyber resilience tothebusiness outcomes (Misangyi & Acharya, 2014).

The board of the company needsto include the principleof cyber resilience inthe internal structure ofthecorporate boar. These includethe taking accountability for cyber resilience. The board needs to takethe entire accountability ofover sightingthe cyberresilience and risks. The board needsto delegate the key activities regarding cyber resilience (Mason & Simmons, 2014).

The board needs to ensure the engagement of an account officer who would be in charge of reporting the capabilitiesof the company and regulating the progress of cyber resilience inexecuting goals associated with the cyberresilience. The board needs to have an eagerness to resolve risk in the cyber security which will be enhanced by quantifying and defining the risk tolerance in the businesson an annual basisin orientation of thecorporate strategy. Theboard needs to further  devise and ensure the resilienceplans  by facilitating the support to the  officer who is in charge and accountable fortheimplementation ofthe cyber resilienceby testing,  creation , implementation and improving the plans for cyber resiliencethatare  harmonized with the businessofthe company. The board ofthe company needs to have a command over the cyber resilience andensure regular updates ofthe trendsregarding cyber resilience and thealert regarding threats with the assistance and recommendationsform theindependent expertsbelonging to external source which can beavailable on being requested. The board of the company further needs to ensurethe integration of the management into cyber resilienceand assessments of the cyber risk intothe overall risk management ofthecompany along with the resource and budget allocation (McCahery, Sautner & Starks, 2016). The corporate board of the company also needs for having regular assessment and reporting of therisk. It would provide a validassessmentof the cyber threats, risk fordevising its own set of strategic assessments of risks byusing the Board Cyber Risk Framework (Michael & Goo, 2015).

Conclusion

In the constantly evolving threatening environment in the cyber space, conventional information security approaches in the corporate environment would be consideredto beincreasingly necessary, however it will not completely secure the individual companies. Thebusiness organization needs toestablish much of its base and confidence in their security maturity at the fundamental level,however, in materializing so, the companyneeds toidentify and accept that it will notbe ableto sustainand be successful in itsbusinesson its own.

The company needs to make investmentsnot only in appropriate technologies regarding cyber security but in having enhanced understanding of itsecosystem and associating with trusted partnersfor securing the company further. A flexible yet resilient cyber environment is a much valuable objective which can facilitate thecompany in implementing and operating thebusinessoperationswith an enhanced confidencein the security if the data and the systems. The company needs to look beyond its own borders andstart assessing its implicationson the cyber-attackon its suppliers, vendors and businessassociates. The company should also seek to developresilientand healthy cyberenvironment withthecollaborators they needs to communicate, interact and share information with.

References

Abdullah, S.N., Ismail, K.N.I.K. and Nachum, L., 2016. Does having women on boards create value? The impact of societal perceptions and corporate governance in emerging markets. Strategic Management Journal, 37(3), pp.466-476.

Agrawal, A. and Cooper, T., 2017. Corporate governance consequences of accounting scandals: Evidence from top management, CFO and auditor turnover. Quarterly Journal of Finance, 7(01), p.1650014.

Al-Janadi, Y., Rahman, R.A. and Omar, N.H., 2013. Corporate governance mechanisms and voluntary disclosure in Saudi Arabia. Corporate Governance, 4(4), pp.25-35.

Armstrong, C.S., Blouin, J.L., Jagolinzer, A.D. and Larcker, D.F., 2015. Corporate governance, incentives, and tax avoidance. Journal of Accounting and Economics, 60(1), pp.1-17.

Bell, R.G., Filatotchev, I. and Aguilera, R.V., 2014. Corporate governance and investors’ perceptions of foreign IPO value: An institutional perspective. Academy of Management Journal, 57(1), pp.301-320.

Claessens, S. and Yurtoglu, B.B., 2013. Corporate governance in emerging markets: A survey. Emerging markets review, 15, pp.1-33.

Coffee Jr, J.C. and Palia, D., 2016. The wolf at the door: The impact of hedge fund activism on corporate governance. Annals of Corporate Governance, 1(1), pp.1-94.

Dimopoulos, T. and Wagner, H.F., 2016. Corporate Governance and CEO Turnover Decisions.

Edmans, A., 2014. Blockholders and corporate governance. Annu. Rev. Financ. Econ., 6(1), pp.23-50.

Ginena, K., 2014. Shar? ‘ah risk and corporate governance of Islamic banks. Corporate Governance, 14(1), pp.86-103.

Khan, A., Muttakin, M.B. and Siddiqui, J., 2013. Corporate governance and corporate social responsibility disclosures: Evidence from an emerging economy. Journal of business ethics, 114(2), pp.207-223.

Larcker, D. and Tayan, B., 2015. Corporate governance matters: A closer look at organizational choices and their consequences. Pearson Education.

Mason, C. and Simmons, J., 2014. Embedding corporate social responsibility in corporate governance: A stakeholder systems approach. Journal of Business Ethics, 119(1), pp.77-86.

McCahery, J.A., Sautner, Z. and Starks, L.T., 2016. Behind the scenes: The corporate governance preferences of institutional investors. The Journal of Finance, 71(6), pp.2905-2932.

Michael, B. and Goo, S.H., 2015. Corporate governance and its reform in Hong Kong: a study in comparative corporate governance. Corporate Governance, 15(4), pp.444-475.

Misangyi, V.F. and Acharya, A.G., 2014. Substitutes or complements? A configurational examination of corporate governance mechanisms. Academy of Management Journal, 57(6), pp.1681-1705.

Padachi, K., Ramsurrun, V. and Ramen, M., 2017. Corporate Governance and Firms’ Performance of Mauritian Listed Companies. International Journal of Financial Management and Reporting Analysis, 1(1), pp.1-26.

Samra, E., 2016. Corporate governance in Islamic financial institutions.

Tricker, R.B. and Tricker, R.I., 2015. Corporate governance: Principles, policies, and practices. Oxford University Press, USA.

Westphal, J.D. and Zajac, E.J., 2013. A behavioral theory of corporate governance: Explicating the mechanisms of socially situated and socially constituted agency. Academy of Management Annals, 7(1), pp.607-661.

World Economic Forum 2017, Advancing Cyber Resilience: Principles and Tools for Boards, https://www3.weforum.org/docs/IP/2017/Adv_Cyber_Resilience_Principles-Tools.pdf

Vugrin, E.D. and Turgeon, J., 2014. Advancing Cyber Resilience Analysis with Performance-Based Metrics from Infrastructure Assessments. In Cyber Behavior: Concepts, Methodologies, Tools, and Applications (pp. 2033-2055). IGI Global.