Podcast: How to get cyber accountability on the board agenda

In this podcast we look at cyber accountability with Mathieu Gorge, who is CEO of Vigitrust.

We talk with Mathieu about how to avoid fines, or worse, when it comes to the Data Protection Act, General Data Protection Regulation (GDPR), NIST and Payment Card Industry (PCI) regulatory frameworks and how boards should carry out strategic and operational reviews of risks to their business.

Antony Adshead: Why is it important to get storage and compliance on the board’s agenda?

Mathieu Gorge: Well, I think it all boils down to the concept of cyber accountability, which really is the responsibility of key decision-makers like CEOs, CxOs and board members to essentially be accountable for the data they are entrusted with – whether that is employee data, customer data, trade secrets or third-party data.

You find that concept of cyber accountability in the Data Protection Act, in GDPR, in NIST, in PCI and many other regulations.

It is about – from a data perspective and a storage perspective – traceability, non-repudiation, making sure the actions of an entity can be traced back uniquely to that entity and potentially to users.

And so the risks of not taking cyber accountability seriously for the board are very serious. First of all, there is the risk of regulatory action that could result in fines or, in some countries, criminal charges, but also in terms of losing client confidence and losing confidence from the team.

So, we’re seeing folks getting in trouble as a result of the Equifax issue. More recently, we’re seeing the CEO of Zoom getting in trouble as a result of issues that came out when Zoom was used an awful lot during the Covid-19 coronavirus outbreak. And so, as a result of that, cyber accountability really should be one of the key priority items on the board agenda right now.

Adshead: How do we get the board to sit up and take notice of cyber accountability?

Gorge: The board really needs to look at the risk areas that apply to their business. So, whether it’s strategic, geo-political risk, financial, operational, contractual, reputational, brand management or closer to the themes that we normally cover such as cyber security, storage and compliance, board-level exectutive need to map out the risks that apply to their organisation.

Once they’ve done that, they can essentially educate themselves on the regulations that apply to their environment and understand how they need to protect the data from a storage, compliance and generic security perspective.

And, at that stage they can do a real strategic assessment or a more operational assessment that allows them to draw a plan of action which is quite operational and addresses the immediate issues and includes a plan for medium- and long-term management of storage and compliance moving forward.

The benefits of doing that are the ability to demonstrate to regulators or enforcement bodies that they have taken cyber accountability seriously, that they do have a cyber security and compliance programme, and that the programme is ongoing and not just a point-in-time solution – compliance is a journey not just a destination.

And when you look at cyber accountability from a decision-maker’s perspective, that’s really what it is – an ongoing journey.

So, you really need to take it seriously. Map out the systems, the data you’re protecting, have the ability to show that you understand where the data is, how you store it, how you transmit it and that you’ve taken appropriate security measures around it, which, incidentally, will allow you to comply with data protection regulations.