Cyber ??security must be high on the board agenda at every organization, supported by the government

Cyber ??security must be high on the board agenda at every organization, supported by the government

January 17, 2020

Recent incidents involving ransomware at, among others, the University of Maastricht and Travelex and vulnerabilities in Citrix products that have affected government organizations, companies and hospitals, show once again that attention to safety should not be allowed to deminish and that sharing knowledge about current vulnerabilities and what to do about them, is necessary.

cyber-security_lock.jpg
The government has a role to play here. For example when gathering and verifying information about vulnerabilities from various sources and giving advice on how to handle them. The National Cyber ??Security Center (NCSC), among others, has this role. There is still room for improvement when it comes to disseminating information, certainly to organizations that are not part of the government or organizations with vital processes, although the Digital Trust Center (DTC) is taking steps in that direction. However, due to the size of the group of companies and organizations that fall outside the scope of the NCSC and within that of the DTC, some 1.8 million in the Netherlands, it is unlikely that this will be a comprehensive solution. Not to mention the enormous diversity of digital situations and staff expertise at all those companies and organizations. A government will never be able to solve this on its own, and I think that it should not be expected to either.

So companies and other organizations cannot and should not lean back. Their safety, and that of the products and services that they provide and use, is primarily their responsibility!

That responsibility ultimately lies with the boards of the companies and organizations, regardless of their sector or size. My estimation is that in many of these boards the focus on security measures could be increased, but it is always a trade-off between different interests. Continuity of service, investments in new products, channels and people, compliance with changing laws and regulations and many other interests, opportunities and risks all count. Ultimately, it is up to a board to make the right assessment and to make resources (people and means) available. The weight of cyber security is perhaps more difficult to determine than that of other components in that assessment. For example, because there is less experience with this, or because part of the damage caused by a cyber incident does not lie with one's own company, but elsewhere in the supply chain, or in society.

Something should be done about that. Certainly if supply chain partners or social interests are compromised by incorrect assessment and subsequent (in)action by the board of one company in the chain. For example, when deciding on whether or not to patch software, not only the costs associated with downtime of one's own process should be considered, but also the costs for the company, supply chain partners and society when the organization comes to a halt because of unpatched software. Today's boards of companies and organizations must also take this external effect into account. Whether it is a logistics company, a supplier of software, raw materials, financial services, or any other kind of product or service, that does not matter.

CIO Platform Nederland contributes to the development of this responsibility at companies and organizations by offering them the opportunity to learn from each other and to share knowledge and experience in a familiar setting. We do this by, among other things, sessions at a strategic level for CIOs and CDOs and at an operational level for (chief) information security officers of our members. In addition, we represent the interests of our members in various councils in this area.

Ronald Verbeek
Director CIO Platform Nederland
Close