There’s a disturbing trend in boardrooms that’s leaving corporations completely exposed.
CPOs and CIOs are sidelined, ignored and forgotten by the rest of the C-suite. Mckinsey estimates that 75% of boards “struggle to provide the required long-term mandate and support” to IT. If this doesn’t change, companies may as well just offer up their IP and trade secrets to malicious actors on a silver platter.
Executives believe that the battle between CPOs and hackers is removed from day-to-day business operations. It’s framed as a niche concern, taking place in its own abstract world, detached from the beating heart of business.
This misconception has left corporate IT teams isolated. They are often exiled to far-flung corners of the office – dark nooks and floors that few employees ever venture to, let alone senior executives.
Why is this a problem?
Firstly, if IT professionals aren’t part of the decision-making executive team, then they can’t make the case for more cybersecurity funding – which they desperately need. Kaspersky report that 25% of UK companies openly admit to underfunding cybersecurity.
Cybersecurity threats proliferate by the day. Hacking groups are backed by rogue nations like China, Russia and Iran. These groups are bringing the full war chest of a nation-state to the fight – and all the cutting-edge tech and expertise along with it.
To face down these state-backed threats in this escalating arms race, CPOs and CIOs have been left with depleted coffers and understaffed teams. And they aren’t likely to rectify this if they’re left out of the boardroom.
A second vulnerability is with employees. Cybersecurity professionals play an invaluable role in ensuring employees meet basic compliance standards. Unfortunately, most people’s knowledge of cybersecurity is inadequate, so CIOs and CPOs have to work constantly to ensure that employees don’t step into traps and open up networks for hackers.
But new technologies like AI and deepfakes exponentially increase the risk of employees slipping into phishing and malware attacks. Detecting a deepfake video of a senior executive is far harder than spotting a dodgy email. One employee recently sent $25m of company funds to scammers after a video chat with a deepfake of their CEO, starkly illustrating this new threat (Verdict).
To insulate employees from these new threats, CIOs and CPOs will need to be center stage, drawing up strategies, training employees and putting best practices in place. This will require significantly more decision-making authority than they have currently.
Finally, in the event of a breach, CIOs and CPOs need to take control of the situation. They cannot do this if they’ve been sidelined from normal operations.
If the status quo persists, management will find that their incident response is sluggish and their damage limitation is insufficient.
Effective worst-case-scenario plans are crucial in minimizing the impact of a breach. But without the involvement of IT professionals in board discussions, robust plans will not be in place and management will be too slow to react. Before they can react, malicious actors who gained access to a peripheral network will have pivoted into central systems and into the corporate HQ.
Comprehensive incident response plans need consistent input from CIOs and CPOs. It’s not enough to call them up after the breach and expect them to be able to put out the fires.
But how can we cross this yawning chasm that’s opened up between CPOs and the rest of the boardroom?
The bridge needs to be built from both sides. CEOs and the rest of the conventional decision-making board need to bring IT professionals into broader business discussions. Cybersecurity cannot be separated from other business operations, what happens in one sphere has direct consequences on the other.
Equally though, CIOs and CPOs need to do their bit in broaching this cultural gap. They need to frame cyber operations in ways that highlight their relevance for shareholders in general – cyberthreats carry significant financial and reputational risk.
IT professionals need to make this translation so the rest of senior management understand the gravity of the situation. They might then find themselves front and center in business-critical decision-making down the line.