Businesses continue to be a prime digital target for criminals, amateur hackers, hacktivists, hackers for hire and those engaged in industrial espionage, including nation-states. In fact, the UK’s National Crime Agency reported in 2016 that cyber-enabled fraud and computer misuse surpassed all other crime in the country.
A recent book of essays published by Forbes, in association with Palo Alto Networks—Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers—United Kingdom—offers expert guidance. Distinguished UK and international experts—including chief executive officers, chief security officers, consultants, and former and current government officials—provide advice and best practices, tailored to directors and officers of UK companies and organizations, on how to protect your cyber systems and other targets.
One major development that has been moving the cybersecurity discussion into the heart of the boardroom: EU legislative changes coming into effect in 2018. Two major new pieces of EU legislation—the General Data Protection Regulation (GDPR) and the Network and Information Security Directive (NIS Directive)—will impose security and breach notification obligations on many organizations. GDPR includes penalties, including fines, for non-compliance. Despite Brexit, the requirements of GDPR at least will most likely apply to many UK companies in one form or another. The impact of the NIS Directive is less clear.
By focusing the board’s attention, these EU legislative changes offer a rare opportunity. They will allow different members of the business to become engaged with cyber risk and find a common language in which they can communicate. This will give your business the opportunity to step back from its myriad activities and look afresh at its security, enabling you to reassess and re-architect your approach to keep pace with future demands.
This guide devotes an entire section to implications of the legislative changes, including how to achieve the “state of the art” cybersecurity the law demands.
Another section focuses on executive responsibility, from the board’s duties to how to prevent your senior executives’ becoming attack lures. (A favored tactic of cybercriminals is to “spoof” the email of, say, the CEO. They know if they send an email that looks like it came from the CEO to the finance department asking for a wire transfer to be made, or to the chief engineer asking for sensitive company information, they just might get what they want.)
The book’s third section, Enabling Innovation, discusses how to balance cybersecurity against business imperatives, such as keeping your organization nimble or providing a superior customer experience, as well as how the board should weigh these factors and how to build a holistic security organization.
Yet another section focuses on the security leadership team and the nuances of hiring a good CISO, which is easier said than done. The ideal candidate would combine impeccable judgment, authority, excellent communication skills, an understanding of business as well as tech, sensitivity to the corporate culture and the emotional intelligence to be a skilled persuader—not your classic geek. The best, well-rounded CISOs have been emerging from the U.S., especially Silicon Valley, but they are in high demand and convincing one to move to Europe can be challenging.