A recent Deloitte report outlined a seeming stand-off in expectations around cyber awareness, actions and ownership. Citing only 5% of the FTSE 100 as having a Board member with specialist cyber or technology security experience, despite 87% placing cyber security as a critical business risk, made for reasonably shocking reading. But behind this were some hints of action; 11% creating new roles and capabilities to specifically deal with cyber and 10% investing in training the board in cyber.
I don’t find the Board presence, or lack of, particularly shocking. This skill set remains to be relatively ‘new’ and it would be a bold move to add such a relative specialist into the board cadre. But should this investment in Board awareness and training continue, I think it is pretty reasonable to anticipate that this will change. Cyber, by its very nature, is inextricably linked in many minds as a technology function. And of course in some ways it is, but this will fade.
While it would be very easy to burn column inches philosophising about which functions should be on a board, it would likely be an academic point for now as the evidence suggest they aren’t there. So what does this mean for information & cyber security talent?
Security is one of those areas which can almost self-propagate technical work. Those who wish to secure information & data assets consistently invest in new defences, while those who wish to compromise it apply equal and opposite creative forces to acquire, corrupt and disrupt. In any other market it might be considered collusion… I jest.
Over and above the technical ‘doing’ cyber is a whole business concern. It’s a critical part of enterprise risk management, supporting optimal business operations and the delivery of services to customers. And this is where the tame techie withers on the vine. The technical components are increasingly commodities to be bought, provided as a service, and likely procured by the IT function.
So away from the technical doing this fast becomes a role focused upon the alignment of risk to commercial objectives, and the ability to influence people into new and enhanced ways of working. The best Security leaders are able to deliver a cohesive vision wrapping together information, data, cyber and physical security. And then move to share and align this vision with the whole business.
The right cyber support is very much focused upon ‘need’ – the enabler to enhanced, secure commercial operations. Lack of executive awareness and investment has for too long meant that businesses have had the security they ‘deserve’. Security leadership talent that is a commercial thinker first and a dedicated domain specialist second, may not have a seat on the board, but ought not want for the attentions of Board, and the rest of the business for that matter!
Matt Cockbill is a partner at Berwick Partners and specialises in Transformation, Change and IT Leadership.