Frank Ford: Cybersecurity

With new legislation holding boards accountable for data breaches in cybersecurity, the questions of where and how to invest in cybersecurity are increasingly concerns for companies. Frank Ford, a partner in Bain's Information Technology practice, shares how organizations can address those concerns by looking holistically at their cybersecurity maturity.

Read the transcript below.

FRANK FORD: When we talk to boards about cybersecurity, we often hear the same set of concerns. The questions like, how good is our cybersecurity? And are we adequately defended? Are we spending enough money, or perhaps are we spending too much? Are we spending it in the right areas? And also, how do I understand my own IT people? I can't understand what they tell me about cybersecurity.

Now, these may sound like basic questions, but in fact they are actually genuinely difficult for organizations to answer. Some of the reasons for this are just the nature of cybersecurity itself. There are many different frameworks, thousands of regulations and thousands of service providers and products available, so organizations often try to mix and match and come together with a, like a soup of solutions for how they address cybersecurity.

But it's very difficult to benchmark what they're doing against the industry, and there's a lack of benchmarks in general. But these questions are very important for boards today and increasingly so. There's a lot of new legislation coming into effect. We have GDPR in Europe, we have King IV in South Africa, and these are examples of legislation that are pushing responsibility for data breaches directly to the board and holding them individually accountable. So the onus on the boards to make sure that organizations are safe and secure is more than it's ever been. And this is a trend that we believe is going to continue.

So in terms of how to best answer these questions, well, you need to start, first of all, by properly understanding your current level of cybersecurity and maturity. And to do this, you need to look at your organization holistically, so it's not just a question of which technology products do you use or which processes you follow. You have to start by looking at overall governance, and technology is important as well. The processes you follow too, but also the organization structure.

Am I looking at these in the right way? You can properly understand how well your organization is structured from a cybersecurity perspective and how able it is to manage the risks that you face. Once you've successfully baselined your cybersecurity capability, you can start getting on the front foot and targeting investment in areas of weakness or the areas of most risk. And this enables you to just strengthen your organization in a targeted fashion. And by getting on the front foot in a proactive fashion and continuing to invest, an organization can ensure that its cybersecurity continues to meet the changing threat environment that exists.