Governing cybersecurity requires understanding your enterprise’s digital systems

Digital systems are foundational in today’s business environment and can provide competitive advantages when properly used. However, their failure can also damage companies and disrupt society. Digital system complexity and related cybersecurity challenges are only growing with the addition of artificial intelligence (AI) to the business landscape. Digital systems are here to stay, and they are challenging for boards and management teams to govern and manage.

Taking on these challenges begins with the board and management team developing a shared understanding of the systems that make up every enterprise. The “enterprise as a system” (EAS) consists of the web of components necessary for a business to function: information technology tools (applications, servers, databases, hosted solutions); physical elements; and the people who utilize them. Boards and management teams need a business-level understanding, not technical knowledge, of how these systems work and interact across the enterprise, achievable through three essential actions:

This is the second of four articles that explore each of these elements and how they work in concert to align board directors and managers on addressing digital risks to their business. The “organize” element was addressed in a previous article: Governing cybersecurity means revamping your organization and processes. This article addresses the “education” element.

EAS ‘education’: Contextualizing digital risk as a systemic risk

Typical cybersecurity reporting to the board and C-suite deals with areas such as compliance, penetration testing, heat maps and dashboards. Although impressive and important, this information can be overly technical and lack context—providing it to board members is like showing them the instruments in the cockpit of a jumbo jet and then asking them to strap in and fly.

Ultimately, important cybersecurity indicators without context have limited value for board governance. In addition, cybersecurity management teams often lack the enterprise-wide perspective of experienced board members, a perspective important for dealing with enterprise-wide risk.

For these reasons, boards and management teams must meet in the middle to develop a shared understanding of the systemic risk that digital risk poses to the enterprise.

Key actions for boards

Bringing it together

Understanding how digital systems work and interact is table stakes for effectively governing and managing in today’s business environment. The steps outlined in this article prepare boards and management teams to take advantage of evolving complex digital systems, including AI, while minimizing their risk. Investing the time and resources to educate boards and management teams will result in more resilient enterprises, reduce incident recovery time and optimize cybersecurity spend. Together the “organize” and “education” elements of the EAS set the stage for developing a cybersecurity culture where all stakeholders feel responsibility for protecting the enterprise against cyberattacks. There are no check-the-box solutions for digital risk.