Cybersecurity is a boardroom issue

When it comes to cybersecurity, the focus needs to be on working together as a unified whole, from the tech stack to the boardroom — starting at the top with the CEO. 

Cybercrime is expected to cost the world eight trillion US dollars in 2023, and 10.5 trillion US dollars by 2025, according to Cybersecurity Ventures, which monitors the global cyber economy. In 2015, the figure was just three billion US dollars.

Indeed, if it were measured as a country, cybercrime would be the world’s third largest economy after the US and China. 

None of this is surprising. The Covid-19 pandemic, coupled with the rapid adoption of internet-facing devices of all kinds as a component of accelerating digital transformation, has greatly increased the attack surface of our digital world. 

Then there are nation state actors, launching increasingly sophisticated cyberattacks designed to evade detection and further their strategic priorities. In its latest Digital Defense Report, Microsoft suggests that, “the advent of cyberweapon deployment in the hybrid war in Ukraine is the dawn of a new age of conflict”. 

From backroom to the boardroom 

Be they criminal gangs, individuals or nation states, cybercriminals are exploiting weaknesses to access networks, disrupt supply chains, attack critical infrastructure, or simply weaken digital capacity. 

For governments, as demonstrated by Ukraine’s resilience in the face of Russia’s digital attacks, cybersecurity has become a crucial part of their defence systems. Presidents and prime ministers are increasingly taking a leading role, ensuring that cyber defence capabilities are given the funding and resources that they need. 

In the business world, things are no different: cybersecurity has gone from being a backroom IT concern to a boardroom issue.  

According to Mikołaj Woźniak, risk and regulatory leader for PwC Central and Eastern Europe, “Today when geopolitics and cyber mix, cyber begins to be etched on the C-level agenda. CEOs and boards want to know what is the risk exposure to these developments. Geopolitical environment and rapid digitisation continue to focus the attention of businesses on cyber risk. And in response to these threats CEOs are increasing investment in cybersecurity and data privacy.” 

As organisations continue to digitise and rely on technology, the risk of cyber attacks increases, making it essential for organisations to address cybersecurity risks as part of their overall risk management strategy.  

Furthermore, regulatory requirements for data protection and cybersecurity have become stricter, and organisations that fail to comply with these regulations can face severe financial and legal penalties. 

“Cybersecurity is the foundation for digital progress,” says Kostas Loukas, general manager, Enterprise, Microsoft South East Europe. “It gives business leaders the confidence to embrace the shift to the digital economy. It helps governments protect critical state functions and the public services on which we all rely. And it gives all of us the peace of mind to live our digital lives to the fullest, knowing our personal data is secure and private.” 

Most board members are not cyber experts, yet boards have an obligation to understand and oversee this significant risk. They need active engagement with leadership, access to expertise, and robust information and reporting from management. 

“CEOs recognise that cyber is a business imperative—one that the CISO cannot, and should not, tackle alone,” says Piotr Urban, partner at PwC Poland. “CISOs are seizing the initiative to truly lead—to step out of their independent cyber-specialist role and into one of partnering with not just a few executives but the entire C-suite.  

“Among them are executives responsible for the overall business (CEO), management oversight and governance (Board), technology infrastructure (CIO/CTO), cyber investments (CFO), operations and supply chain (COO), risk management (CRO), data (CDO/CPO) and human resources (CHRO). These collaborations have never been more critical.” 

Peter Durojaiye, partner, cybersecurity leader for PwC Central and Eastern Europe adds: “When it comes to cybersecurity, the focus needs to be on working together as a unified whole, from the tech stack to the boardroom — starting at the top with the CEO. Security is a concern for the entire business, in every function and for every employee.” 

Loukas of Microsoft agrees. “Both private and public organisations are focused on strengthening resiliency to mitigate today’s threats, even as new ones continue to emerge. That’s why cybersecurity has gone from backroom IT concern to boardroom issue,” he adds. 

Faster adoption 

To unlock faster digital progress and the economic and societal benefits it can deliver, business leaders and policy makers need to place a renewed and sustained strategic emphasis on security.   

The good news is that this is happening, if not, perhaps, as universally as it should. More than 70 per cent of the 3,522 business and tech executives surveyed in PwC’s 2023 Global Digital Trust Insights Survey saw improvements in their enterprise’s cybersecurity this year—thanks to cumulative investments and C-suite collaboration.  

In Central and Eastern Europe, the figure is around 60 per cent. 

Nevertheless, of those surveyed, only 31 per cent in CEE, and fewer than 40 per cent globally feel very confident in their current mitigation of emerging risks. Senior executives worry that their enterprise isn’t fully prepared to address heightened threats. 

In PwC’s annual Global CEO Survey, the geopolitical environment and rapid digitisation continue to focus CEO attention on cyber risk. Some 34 per cent of CEOs in CEE and 48 per cent globally say they are increasing investment in cybersecurity or data privacy in response to rising geopolitical conflict. 

‘Security isn’t a one-team job’ 

Cybersecurity cannot and should not be treated as a product that gets added on top of or parallel to other business software solutions. It has to be incorporated by design, meaning any product and service is designed with built-in security elements. 

Ultimately, cybersecurity today is a signals game – and it’s rapidly evolving from a case of being reactive, to being predictive. Microsoft, which has an unparalleled view of the evolving threat landscape, synthesizes 65 trillion signals a day—across all types of devices, apps, platforms, and endpoints. 

UiPath is a next-generation robotic process automation (RPA) software provider that organisations rely on for help in removing tedium for employees and to realise maximum operational value. With multiple clouds and a sizable on-premises estate to protect, it deploys Microsoft Azure Sentinel, a scalable, cloud-native security solution to create a complete, tightly meshed cybersecurity strategy. 

A critical part of that strategy is collaboration between the security team and the engineering teams. “Security isn’t a one-team job,” says Cody Nicewanner, manager of cloud security and compliance at UiPath. “It must be a collaboration across various teams.” 

At PGE, Poland’s largest power producer, security is also underpinning its digital transformation. Migration of processes to the cloud has enabled the highest level of cybersecurity at PGE, including ensuring the safe transfer of data outside Poland and thus business continuity in the event of a threat of attack. 

“Modernising the way we work was a challenge due to the size of the organisation,” says Szymon Ferens, vice president of the Management Board of PGE Systemy. “At the PGE Group, we are aware that digitisation involves a new work culture and the inclusion of all employees in the transformation process.” 

Indeed, what it means to be ‘safe and secure’ has changed, says Microsoft’s Loukas. Organisations can no longer ‘go it alone’ – it’s instrumental that they work with partners and peers who share the same values.  

“This includes skilling,” adds Loukas. “With increasing threats and an accelerating shift to a digital-first economy, the need for skilled cybersecurity professionals has never been higher. But supply is not keeping up with demand, and public and private organisations need to work together to rapidly train the next cohort of cybersecurity professionals and close this gap.”

The right ecosystem

While an increasing number of firms understand the importance of making cybersecurity a cross-company issue, from boardroom down, there are plenty which still need to be nudged in the right direction.  

PwC recently helped a German chemical manufacturer by carrying out a cyber hygiene assessment, powered by Tanium, that gave a very powerful risk picture that the board of the firm understood immediately.  

This then provided a blueprint that allowed the firm to leverage the right ecosystem of technologies, such as Microsoft Azure Sentinel, and bridge the gap between IT operations and security. 

For many firms, a lack of cybersecurity solutions is often not the key issue. Instead, some simply have too many. 

Indeed, Microsoft research shows that large organisations have an average of 75 security solutions. This complexity and discord between multiple security solutions is not just a burden, but also increases vulnerability.   

“Our comprehensive security solution helps protect our customers’ entire digital estate, whether they have adopted a single, multi- or hybrid cloud approach. This helps them simplify their approach to security through consolidation – and realise up to 60 per cent cost savings, so they can do more with less,” says Microsoft. 

“Anything less than a comprehensive approach to security is no security at all,” adds Loukas. With the right direction and professional support, that comprehensive approach needn’t be overly complex, nor costly. That’s something all C-level executives can get behind. 

“If business leaders and policy makers want to unlock faster digital progress and the economic and social benefits this can deliver, they need to place a renewed and sustained strategic emphasis on security,” he concludes. 

This article is part of Digital Future of CEE, a regional discussion series, powered by Emerging Europe, Microsoft and PwC.

Unlike many news and information platforms, Emerging Europe is free to read, and always will be. There is no paywall here. We are independent, not affiliated with nor representing any political party or business organisation. We want the very best for emerging Europe, nothing more, nothing less. Your support will help us continue to spread the word about this amazing region.

You can contribute here. Thank you.

emerging europe support independent journalism