Resilience in the Age of Digital Vulnerability: A Call to Action for Boards

It is a fact of life that convenience comes with a catch. As digital transformation has revolutionized our lives, it has also created an ecosystem of dependencies that underscore everything from the power grids to our personal data.

Critical infrastructure, public services, businesses, and even personal lives are intricately intertwined with digital systems. This interconnectedness can amplify the impact of disruptions. Whether it's a potential cyberattack crippling a major airline, a sophisticated breach compromising sensitive data, or an operational error, consequences are felt far and wide. Adding to the complexity is the blurring line between the digital and physical worlds. Digital advances are connecting physical systems that were never designed for such pervasive interconnectivity, creating new entry points for malicious actors or simply placing reliance on weak links.

Board members play a critical role in guiding organizations through this complex risk landscape. This involves fostering a culture of security awareness, ensuring robust resilience strategies are in place, and actively engaging with management to address evolving threats.

Rethinking Resilience: Beyond Traditional Disaster Recovery

Traditional disaster recovery plans can fall short in the face of cyber threats. Many organizations are overconfident in their backups and recovery mechanisms but fail to conduct realistic stress tests that simulate the complexities of ransomware attacks or widespread Internet outages.

Furthermore, the interconnected nature of businesses introduces another dimension of risk: we are not only susceptible to threats within our own organizations but also to those impacting our customers, suppliers, and even their partners. These interdependencies can lead to unexpected concentration risks and cascading failures.

A company’s security team faces a daunting task in this environment. Most organizations grapple with a complex mix of legacy and modern systems, on-premises infrastructure, multiple cloud platforms, and a growing reliance on third- and fourth-party services.

This hybrid landscape presents a range of challenges, including the following:

• Strategic alignment. Aligning information technology (IT), security, and business goals is crucial. Disconnects between these areas can hinder innovation and create vulnerabilities in rapidly evolving digital environments.
• Security in the digital age. Organizations often prioritize rapid technology adoption without fully adapting security practices and operational processes. A holistic approach to digital transformation, incorporating people, processes, and technology, is essential to robust security.
• Artificial intelligence (AI). Proactive leadership is vital to navigate the unique risks associated with AI implementation. Organizations need clear strategies and best practices to effectively manage and scale AI initiatives.
• The regulatory landscape. Outdated regulations can present obstacles to achieving optimal security and resilience. Advocating for a modernized regulatory environment is key to supporting both innovation and robust cybersecurity.

The Board’s Focus: Embrace a Proactive and Resilient Approach

Despite these challenges, progress is being made with leading organizations actively working to mitigate these risks. Ensure that management provides a comprehensive view of the organization's cyber-risk profile, including potential impacts on business operations, financial stability, and reputation.

In this evolving threat landscape, boards should do the following:

• Champion a culture of resilience. Promote a proactive approach to risk management that goes beyond compliance to focus on building resilience across all aspects of the organization. Organizations that foster closer collaboration between security, IT, risk and compliance, legal, and business teams establish clear pathways to integrate security and resilience patterns into their operations.
• Invest in modern security and resilience capabilities. Allocate resources to modernize security infrastructure, adopt cloud-native resilience methods, and develop AI-driven security capabilities.
• Prioritize talent and skills development. Support the recruitment and retention of skilled cybersecurity professionals and foster a culture of continuous learning and development.
• Oversee regulatory compliance and advocacy. Stay informed about evolving regulations and advocate for policies that promote a risk-based approach to cybersecurity and resilience.

Boards should discuss these topics with their executive management teams, asking the following of their chief information security officers, chief information officers, chief technology officers, and other business executives:

• Are we building in “security by design?” Organizations are embracing initiatives, such as the Cybersecurity and Infrastructure Security Agency’s Secure by Design initiative, and prioritizing security at the software development level, which shifts the burden from end-users to manufacturers.
• Are we harnessing cloud-native resilience? Organizations are leveraging the advanced resilience capabilities offered by cloud providers and other innovative technologies to enhance their security posture.
• Are we prioritizing transparency and using AI-powered security? Organizations are prioritizing transparency across software, AI, and supply chains, while actively utilizing AI to bolster security and resilience efforts.
• Are we proactively addressing the risk? Organizations are shifting their focus to leading indicators of security, such as software reproducibility and recovery times, enabling proactive risk management and early threat detection.

By embracing these actions, boards can help their organizations navigate the complexities of the digital age and build a more secure and resilient future.

Google is a NACD partner, providing directors with critical and timely information, and perspectives. Google is a financial supporter of the NACD.

Alicja Cade is a director in the Office of the CISO and Financial Services at Google Cloud.

David Homovich is a seasoned cybersecurity leader within Google Cloud's Office of the CISO, specializing in advising boards, CISOs, and C-Suite executives on secure and compliant digital transformation strategies.