Five Ways Boards Can Shape The Digital or Cyber Resilience

Each day brings news of more sophisticated attacks, as data theft, downed servers, and ransomware havoc on organizations. The sheer volume of the breaches makes us think that these attacks are never going to end. So how do we stop this? The answer lies with Digital resilience leadership.

Digital resilience is an organization’s ability to continue to operate through an impairment, and to stay in business while minimizing customer harm, reputational damage, and financial loss. -Redseal

An effective digital resilience starts with the board room. The time has come for the corporate boards to future-proof digital resilience capabilities. Unfortunately, most of the boards I have reviewed lacks clarity, abilities, and skills to drive digital resilience. Infusing Digital or cyber resilience is an ongoing process where the movie never ends.

Here are five ways boards can shape the digital resilience to drive value.

1. Understand, measure, and approve risk tolerance.

• The threats come from everywhere. They are inside, and they are outside. It is essential for board members to understand cybersecurity in terms of requirements, investments, and efforts.
• Avoid technical jargons, instead focus on understanding the risk appetite, business value and security posture of the organization. For example, what is the impact on the organization's security posture if we embrace remote work? Don't get bogged down by technologies such as endpoint security due to remote work.

Involving the board in cybersecurity exercises is a huge plus. Understand risk tolerance. Bring resilience, security, and trust closer. -Khwaja Shaik, CTO, IBM

2. Measure the progress, and future-proof the digital resilience through holistic metrics.

• You can't measure what you don't track. Speed of recovery, cost of recovery, and level of preparedness are essential. But, just understanding qualitative and quantitative metrics is not enough. Delve into short-term and long-term priorities, internal and external threat factors, attacks' volume and sophistication, emergency plans, fallback scenarios, and compliance direction. 
• Stay away from the check-box mentality. Developing an early-warning function is a board level agenda.

If you are not asking the right questions, measuring risks consistently, you have no mitigation plans if you ever get attacked. -Khwaja Shaik, CTO, IBM

3. Instead of Cybersecurity maturity models, use risk appetite, and business value-driven risk-based digital resilience models.

• Understand the difference between cyberthreats and cyberrisks. Cyberthreats are inherent risks due to technical exploits such as phishing and vulnerabilities, while cyberrisks result from loss of confidentiality and availability of digital assets. Similarly understand your ‘crown jewels’ and link sources of value with their risks as part of risk-based digital resilience framework.
• Develop clear risk escalation triggers to notify the board of a business resiliency risk events.

The time to move from maturity based security to risk based security has arrived. Provide cybersecurity optimization oversight as no one has blank check. -Khwaja Shaik, CTO, IBM

4. Future-proof with industry trends by accelerating the Board, C-suite and ecosystem collaboration.

• Having cybersecurity and business resiliency expertise on the board is a huge plus. Leverage this expertise to educate other board members and have meaningful conversations to drive digital resilience conversations.
•  Establish technology committees that includes the cyber oversight scope. Ensure cybersecurity is part of the conversations for the digital transformation imperatives. Encourage for speaking up to drive meaningful board discussion.

Data privacy, digital trust, global technology tensions, and counterterrorism are pressing challenges that the board must fully understand. -Khwaja Shaik, CTO, IBM

• The board needs to be smart to challenge management on digital resilience. It is only possible by adding diverse voices, ethnic backgrounds, and perspectives to the boardroom.

Insist on more frequent and consistent communication between board and senior management. Establish dedicated cybersecurity committee. -Khwaja Shaik, CTO, IBM

5. Restructure the board with the skills for tomorrow.

• Managing for digital resilience starts with managing the talent of the board. I have seen many firms lag behind in prioritizing cybersecurity capability in their board skills mix.
• Drive diversity goals for the board by looking for skill sets instead of titles. The sweet spot lies at the intersection of strong business ‘savvy’ with cybersecurity knowledge and gender diversity.
• Develop director skills with a growth mindset and life-long learning culture. Benchmark board composition not only against it's peer group but also against private equity.

Infusing the board with the right digital resilience skills is a continuous process. Adopt an evolving skills matrix. -Khwaja Shaik, CTO, IBM

• It is important to have diversity of experience, age, gender, and thought by infusing subject matter expertise. You need people on the board from other businesses to avoid groupthink and myopia.
• Ensure strategic planning for cybersecurity a multi-year tempo instead of adhoc tempo. Have quarterly check-ins if not more to measure progress.

Ensure at least one-fourth of the board’s time is spent on digital resilience. Ensure digital resilience board routines an ongoing process.

Question: What other ways boards can shape digital resilience? Please share your thoughts in the comments section below.

For professional insights into complex issues join the conversation by tweeting Khwaja at @Khwaja_Shaik or connecting with him on LinkedIn.

ABOUT KHWAJA SHAIK

Award-winning C-level IT Executive with 25+ years of technology leadership with GE, IBM, BAC & PwC.  

Recognized for technical acumen, Innovation, Cloud, AI, Architecture, Cybersecurity, & Large-scale execution, Khwaja has been instrumental in driving major Digital transformations involving the newest innovations, automation, cost reductions, efficiency, agility & competitive advantage to Fortune 500 firms. 

Khwaja’s life goal is to infuse purpose for a better future. He has built bridges with peers within the firm, & ecosystem to accelerate growth.

As IBM's CTO, Khwaja works closely with many of the world’s leading CIOs to address key industry issues. Using his innovative mindset, Khwaja advises firms use emerging technologies, enterprise architecture, & roadmaps to accelerate business value by embracing the product mindset, future-ready platform models, ecosystems, & doing agile right.

Khwaja also serves as McKinsey Global Institute’s Executive Panel Member, MIT Sloan CIO Forum Member, Gartner’s Research Circle Member, MarketsANDMarkets Advisor, and HBR’s Advisory Council Member driving global thought leadership.

As a global influencer, Khwaja frequently blogs on exponential technologies at IBM, LinkedIn, and Twitter. With his passion for interfaith and nurturing global talent in STEM, he serves on the Advisory Boards of Interfaith Center of Northeast Florida and Museum of Science & History, and the University of North Florida’s Computing Advisory Board.

Recipient of outstanding service awards from the University of North Florida, Bank of America, IBM, and Indo US Chamber of Commerce of Northeast Florida. He is frequently interviewed for industry insights or cited in the news, Thought Leadership POVs, and blogs on disruptive technologies.

Khwaja holds an MBA and Engineering degree. He is a frequent speaker on exponential technologies at various forums, including the CIO IT & Security Forum, MHI Supply Chain Conference, IIT Hyderabad, and Indo US Chamber of Commerce of Northeast Florida.

More details on Khwaja’s career and thought leadership activities could be found via Linkedin, Khwajashaik.com or follow him on Twitter @Khwaja_Shaik

"The postings on this site are my own and don't necessarily represent IBM's positions, strategies, or opinions."