Feature
PRACTICE
Serious play Convincing boards to focus on cyber security is no easy task. Two role-playing scenarios at a recent IRM event offer valuable lessons to risk management teams. Readers can try the scenarios for themselves BY DANIEL ROBERTS
F
rom TalkTalk in the UK to the American retail giant Target, and from Saudi’s Aramco to the UK’s National Health Service, we’ve seen and will continue to see attacks on companies’ computer systems with the objectives of stealing customer or commercial data, or disabling or destroying computer systems and data, or plain financial extortion. The 2017 WannaCry cyber-attack on the NHS was estimated to cost that organisation £92 million. The 2012 attack on Aramco targeted over 30,000 computers. The number of attacks is increasing, and there is little we can do to reduce their likelihood. And for all this time, the constant refrain has been, “How can get boards to take this seriously?” Convincing boards to focus on cyber security is no easy task, when those working in the business have competing priorities, responsibilities and rewards structures. Risk professionals play a key role in communicating with the board and demonstrating why cyber security matters and requires board attention. The existence of these conflicting priorities within an enterprise will result in key individuals taking various stances to cyber security mitigations: they may be supporters, indifferent or be blockers with
22
Risk managers play a key role in communicating with the board and demonstrating why cyber security matters
Enterprise Risk