Cybersecurity Needs to Be Led From The Top

Table of Contents
Benjamin Donnachie, Senior Vice President in the Digital Practice at AlixPartners LLP, explains why the cybersecurity agenda needs to be led from the boardroom. In our experience executive teams often perceive cybersecurity as a singularly technical rather than broadly commercial matter and therefore leave it to their IT teams to manage. What then follows is a classic bottom-up approach with an emphasis on compliance and ‘box-ticking’ in which the technology function is left to assess performance against their own strategy, effectively marking their own homework. While many cyberattacks may subsequently be prevented, and their impacts significantly reduced, organisations all too often have scarce resources that need to be selectively, and strategically, allocated. Quantifying and ranking cyber-risk in terms of the potential financial, reputational, and compliance-related impacts in case of a data confidentiality, availability, or integrity issue empowers a business’s leadership to understand the problem and address it like any other business risk. In short, it must be incorporated into the organisation’s existing enterprise-wide risk management framework. It is also essential to carefully map business processes, business assets, and technical assets, making sure to classify them by potential risk level and determining their level of criticality. This is the key connection between cybersecurity and business continuity and allows any investment in cybersecurity to be linked directly to the business’s value and the importance of its information. As senior management’s appreciation of the cyber agenda develops, they will need to examine the company’s wider risk appetite and identify any trade-offs. Any business processes or assets that demonstrate risk levels above the organisation’s thresholds require defined mitigation activities involving an appropriate mix of people, processes, and technology. Ultimately, it is up to the CEO and the board to define the strategic allocation of ‘capital at risk’ to mitigate cyber risks. The company can then design a detailed plan and investment – including capital expenditure and operating expenses – in which each cybersecurity investment is prioritised and, crucially, justified by the reduction in business risk thus defining cybersecurity return on investment. Rather than keeping cybersecurity at arm’s length, the c-suite needs to recognise it as a top-down issue that must be managed by a team of key people:
  • CEO Clearly outline the policies, processes, and the roles and responsibilities of key stakeholders.
  • CRO Provide the risk management perspective as well as appropriate metrics and risk analysis.
  • CFO Assist with regulatory requirements and analysis of the economic capital implications and allocations.
  • COO Embed the approach into IT operations and HR culture of the company.
Along with Benjamin, we recommend that chief executives establish a quarterly security advisory board that enables executives, risk and IT managers to discuss fundamental security issues, challenge existing protocols, and, crucially, include their business judgements. The agenda should focus on risk, continuous improvement, and the enterprise’s overall operating model. Framing the discussion in terms of commercial and operational risk reduction makes cybersecurity significantly more accessible and understandable to a business’s leadership team. It allows investments to be focussed on areas of high risk and the return on those investments to be more easily understood, avoiding the perception that cybersecurity is a burdensome additional cost to the business. In summary, to build the most effective cybersecurity programme possible, it needs to be grounded in the human component of the business and that begins with the boardroom.

Download the Cybersecurity Needs to Be Led From The Top Whitepaper Here

Table of Contents

Related Articles


How Agile is transforming industries and organisations

Agile® is one of the most popular approaches for project management, with 81% of respondents in a KPMG study saying they’ve started their Agile transformation. Originally conceived within the software development sector, Agile methodologies have transcended their initial confines, revolutionising practices across various industries and organisations worldwide. Agile is a transformative approach that emphasises flexibility,

Read More »
Change Management

Mastering change management: Essential skills for today’s leaders

As we have all seen in the last few years, change can be unexpected, unpredictable and fast-moving. As a result, effectively managing and navigating change has become crucial for all leaders. Change management is no longer a specialised skill but a fundamental requirement for leaders across all levels and sectors. The capacity to steer teams

Read More »
The critical importance of soft skills in tech

The critical importance of soft skills in tech

  In the UK, the tech sector is the biggest sector dominating the market, with a value of $1 trillion. As a result, the demand for technical skills remains high. However, amidst the coding languages, algorithms, and data structures lies an often-underestimated component of success: soft skills. These non-technical interpersonal skills are proving to be

Read More »
Elevating Your Career with ISTQB Certification

Why Quality Matters: Elevating Your Career with ISTQB Certification

For those in software testing and quality assurance roles, it can feel like there is a never-ending list of qualifications and training options to explore. These training options can be pivotal in career advancement and standing out of the crowd in the job market. One of the most recognised and respected ways to achieve this

Read More »

At TSG Training, we know that preparing for an exam can be a stressful endeavour. That’s why we offer a unique promise to our customers – if you don’t pass your software testing course exam the first time around, you can take one subsequent course at no cost! Exam re-takes are chargeable

Enquire Now

Wait! Before You Leave.

How can we help?

Would you like to know more? Click here to arrange a call back with one of our business development managers. They will be able to discuss the course with you and answer any questions you have.