Cyber risk in advanced manufacturing: executive and board engagement

By Sean Peasley

The manufacturing industry is vulnerable. Nearly 50 percent of executives surveyed in a recent Cyber risk in advanced manufacturing1 study Deloitte conducted in collaboration with MAPI indicate they lack confidence their company’s assets are protected from external threats. Additionally, 48 percent of cyber risk executives surveyed believe while senior management is committed to improving the company’s cyber-risk profile, obtaining adequate funding to support key cyber initiatives such as risk assessment, data protection, cyber threat monitoring, incident response planning, and employee awareness remains a significant challenge.

Traditional board reporting covers enterprise networks and business systems, but doesn’t often expand into broader areas of cyber risk related to innovation, industrial control systems and connected products. Only when the board and C-Suite clearly understand the company’s true cyber risk profile can they appropriately prioritize resource allocation in alignment with their risk tolerance.

Keys to engaging board and C-suite executives to improve cyber security initiatives

Establish a senior management-level committee with board member representation dedicated to the issue of cyber risk.

Ensure escalation criteria includes board members. Review cyber breach incident management framework and establish escalation criteria to include board members.

Share results of enterprise cyber risk assessments at the board level, including the potential impact on business outcomes in the areas of sensitive data protection, ICS, and connected products.

Establish a dashboard of key cyber risk indicators and trends to support continued dialogue around strategic investments designed to improve cyber maturity across the organization.

Share cyber security updates and awareness efforts with board members. Board updates should include results of broad employee awareness and resiliency efforts, including lessons learned from wargaming simulations and table top exercises. This should also include transparency on the most likely cyber risk events a company may experience, key mitigation and incident response strategies, and continuous improvement opportunities identified in these efforts.

Ask the right questions to ensure updates to the board are complete. When it comes to a board update, the following framework can help boards evaluate questions to ask to determine whether the scope of the update they are receiving is complete:

Ten questions boards should be asking

  1. How do we demonstrate due diligence, ownership, and effective management of cyber risk? Are risk maps developed to show the current risk profile? Do they identify emerging risks we should get ahead of as well?
  2. Do we have the right leadership and organizational talent? Beyond enterprise systems, who is leading the important cyber initiatives related to ICS and connected products?
  3. Have we established an appropriate cyber risk escalation framework that includes our risk appetite and reporting thresholds?
  4. Are we focused on, and investing in, the right things? And, if so, how do we evaluate and measure the results of our decisions?
  5. How do our cyber risk program and capabilities align with industry standards and peer organizations?
  6. How do our awareness programs create a cyber-focused mindset and cyber-conscious culture throughout the organization? Are these programs tailored to address special considerations for high-risk employee groups handling sensitive intellectual property, ICS, or connected products?
  7. What have we done to protect the organization against third-party cyber risks?
  8. Can we rapidly contain damages and mobilize response resources when a cyber incident occurs? How is our cyber incident response plan tailored to address the unique risks in ICS and connected products?
  9. How do we evaluate the effectiveness of our organization’s cyber risk program?
  10. Are we a strong and secure link in the highly-connected ecosystems in which we operate?

Only when the board and C-Suite understand the company’s true cyber risk profile can they appropriately prioritize resource allocation in alignment with their risk tolerance. Asking the right questions and establishing key engagement strategies at the board level will improve the awareness of security needs from the top down and help secure the best resource allocation and funding to address cyber security concerns and prioritize initiatives.

To get a more in-depth look of the findings, be sure to visit www.deloitte.com/us/cyber-risk-advanced-manufacturing where you can download the full report, executive summary and infographic. And, be on the lookout for an upcoming series of blog posts on the key themes identified in our study.

To download the full study and infographic, click here: Cyber Risk in Advanced Manufacturing Study


1Cyber risk in advanced manufacturing, Deloitte and MAPI, 2016

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s