Cyber and Emerging Boardroom Risks

Gaurav Kataria, CIO, Cyient

In 1955, the famous author Issac Asi­mov wrote a book titled ‘Risk’. The book was about how robots were needed to take on a dangerous experi­ment to safe guard humans. But as the story progressed, the team real­ized that the ill-programmed robot had put the mission at risk, and finally a human intervention became a must to save the mission.

Snap back to today! Digitization, Automation, Artificial Intelligence (AI) and Machine Learn­ing are a few of the buzz words we all are hearing with the hope that they will lead to a better planet someday. And like in Asimov’s story, though the mission is progressive, the biggest risk in all of these is not the machine itself, but the humans programming the machine.

Cybercrime represents the dark side of digiti­zation, and is the mastermind of extremely smart individuals. In today’s day and age, that’s where the board has a major role to play. We need smart­er humans to deal with smart humans!

The role of the board has changed over the past 5 years:

1. While it is the management’s job to handle the day-to-day running of the business, the role of the board has moved from being 90 percent fi­duciary (focusing on accounts and audits) to 75 percent strategy and risk management.

2. Off all the risks that the board oversees, Cyber Security has emerged as a central theme across all large and mid-sized corporations.

3. The board of today is not only focused on miti­gation strategies, but also strategies to cover the liability arising from this menace.

4. Apart from the Intellectual Property (IP), data (personal or corporate) loss, the board is equally focused on preventing reputational damage to the brand.

Reputation is one of the most valuable and fragile assets of an organization—according to a study by World Economics. On an average, ap­proximately 25 percent of a company’s market value is directly attributable to its reputation. A good reputation built through years of dedicated effort can be destroyed almost over­night, especially in today’s world where an organization’s customers, operations, supply chains, and in­ternal and external stakeholders are scattered globally and connected via technology.

The advent of new technologies and an ecosystem of digital inter­connectedness significantly increase an organization’s exposure to cyber theft. As a result, cyber and reputa­tion risks have become top concerns for all boards and organizations.

It is prior knowledge that it is only a matter of time before every organization is hacked. With Cy­bercrime now available as a service, anyone can ask for a company to be attacked or themselves become a hacker just by watching online vide­os. Anyone can buy exploit kits from the dark web, pay with bitcoins, and to top it all, the customer service across these channels is actually bet­ter than most service providers!

The window for responding is very narrow and organizations have to very quickly demonstrate that they have taken control of the situa­tion if they are to protect their repu­tation. Yet only 7% of organizations claim to have a robust incident re­sponse program that includes third parties and law enforcement and is integrated with their broader threat and vulnerability management func­tion. The emphasis for boards now includes making sure that critical security infrastructure is in place, enhancing crisis response and strate­gies that emphasizes a good balance of preventive and responsive tactics.

Technology is making bounda­ries between industries more porous and people are spending more time on the internet than on any other media, providing opportunities for attacker models. While understanding the future impact of technologies is the man­agement’s responsibility, boards should ask management for their perspectives on how the organiza­tion is handling the strategic risks related to technology and digital disruption today.

Some organizations are creating new technology forums, building the expertise of corporate directors, and strengthening IT governance— all with the aim of allowing boards to guide management by asking the right questions about technology and its impact.

In summary as, Ravi Venkate­san, Chairman of Bank of Baroda and former Chairman, Microsoft India, said in his recent blog, “The world is at the beginning of a revolu­tion where there are huge advances in genomics, artificial intelligence, materials, and manufacturing tech­nologies. Machines are closing in on human ability with astonishing speed. Robots are replacing humans not just on factory floors but also in homes too. Reusable rockets prom­ise to make space travel, and colo­nies on Mars and the moon a reality. Possibly in our own lifetime we will reach a point called “Singularity” where machines become as smart as humans and then keep getting smarter. We will soon be able to edit genes to create favourable traits and new life forms. Science fiction is giv­ing way to reality.”

Though I am very optimistic about our connected future, the question we need to ask, “Are the board’s asking all the right questions and are we as organizations ready to deal with the risks arising from this revolution?”