Digital transformation has enabled businesses to compete globally, fostering innovation and growth and creating operational diversities – providing competitive business edges in highly competitive markets. With emerging technologies like AI, the ever-expanding technological edge has further enhanced efficiency, simplification, and creativity in product and service development, and operations, thus paving the way for further progress and a promising future for boards and business owners, driving and expanding market share and capitalising on shareholders returns. These characteristics attract trustworthy shareholders, business clients and consumers, propelling the organisation to significant financial attribution, market share and influence.

Digital Risk
Although digital transformation in business opens up new possibilities and financial opportunities, it creates dangerous risks – like cancerous growths in the body. If these risks are not detected, assessed, and risk-managed early, they can lead to irrefutable business risks, which can ultimately impact the organisation’s viability and, most importantly, the trustworthiness of the organisation with its partners, clients and customers. Such resulting, specific sectorial business risks in today’s operating digital risk environment can be categorised as:

• Information Security Risk
• Operational Risk
• Financial Risk
• Compliance Risk
• Reputational Risk
• Strategic Risk
• Legal Risk (Civil Lawsuits)
• Physical Security Risk

Therefore, in today’s ever-changing business landscape, business resilience primarily depends on the board’s or business owner’s risk awareness and risk management level of maturity. Successful overall risk management necessitates implementing and operating an ISO 31000 standardised Enterprise Risk Management (ERM) program.

The international standard provides comprehensive guidelines for identifying, assessing, treating, communicating, recording and reporting, and monitoring and reviewing risks. These guidelines establish and continuously improve an organisation’s effective risk management process. The standard recommends integrating the risk management process into all aspects of the organisation, including strategy and planning, management, reporting processes, policies, values, and culture. Additionally, it provides recommendations for applying risk management at all organisational levels, functions, projects and activities. Therefore, the ERM program will enable the organisation to identify, prioritise, and manage risks that could potentially impact its mission and vision, hampering its long-term success.

But what are these risks, or how have such risks become warranting the Board’s attention?

Digital Transformation (a data-driven mechanism) incorporates varying IT strategies and technologies, which enables the business to be agile through its product and services, operational efficiencies and diversities by the utilisation of:

• Cloud applications and services
• Automated big data platforms
• Blockchain Technology
• Internet-of-Things (IoT) devices and services
• Artificial Intelligence (AI) and AI-based systems

The use of such digital technologies relies on the organisation’s level of digital maturity. This maturity, provided through strategic governance, is a top-down approach that can affect the organisation’s IT governance program to safeguard its principal digital assets and valuable Data. Data, which drives and enhances the digital transformation program, is at risk due to IT and other organisational vulnerabilities that cybercriminals can exploit, causing grave business risks, as previously mentioned.

Managing Information Security Risk – The Information Security Governance Program
How organisation governance is applied and operated (maturity level) affects the security nature of the business. That is, the information security model will have gaps in the maturity level of capabilities. Therefore, for a holistic approach to protecting and securing data – information security – the organisation’s security maturity is governed by its Information Security Governance Program (ISGP). The program operates on the principle of protecting the organisation’s assets confidentiality, integrity and availability through the development of the organisation’s governance, people, process and technology, and not technology alone – possibly making up a large percentage of the overall organisation’s concern when it comes to information security and who is responsible for it.

An Information Security Governance Program (ISGP) is a guiding document that strategically aligns the organisation, its people, process, and technology with the organisation’s vision, goals and objectives through security frameworks, policies, standards, procedures, and guidelines for securing business assets, keeping data secure and protected,
creating and building data privacy.

Recognising the security risks associated with digital transformation is very important, as they can have significant implications for the organisation’s well-being. Due diligence and due care must be the precursors to keeping the data it holds secure and safe. That is, Data Protection Laws and specific industry regulations make companies legally responsible and accountable for the safety and security of the data they hold within their boundaries. The organisation risks legal liability and significant business risks in the event of a Data Breach. In addition, the organisation can also be held liable if its networking infrastructure, solutions, or services are used as a vector in a cyber-attack against other businesses, partners, or clients, resulting in irreparable damages and losses. For example, the SolarWinds, Okta and MOVEit supply chain attacks affected many of their clients and customers, costing them millions of dollars in damages. In fact, SolarWinds is still experiencing this legal fallout in 2024, three years after the attack, with no clear end in sight.

The data held within the organisation’s boundaries, classified as either Intellectual Property (IP), Personal Identifiable Information (PII), and/or Personal Health Information (PHI), is at great risk of being breached by cybercriminals due to its highly resalable value on the dark web. In 2023, over 8.2 trillion records were breached due to cyber-attacks by cybercriminals. While this figure may seem enormous and concerning, it is worrying to note that this figure is considered to be low due to unreported breaches that continue to occur globally.

Cybercrime is expected to grow up to 15% in 2024, causing annual losses in excess of $9.5 Trillion globally. Contextually, cybercrime could be the third largest economy in the world, based on the International Monetary Fund (IMF) 2024 data on countries’ GDPs. With such an alarming trend and legal accountability, the boards’ visibility on digital liabilities and losses has to be one of great concern and resolved. The Organisations’ low information security risk posture is one of the major contributing factors to this problem. Cybercriminals are exploiting vulnerable organisations at a high alarming rate for financial gain. The breach data is not only ransom but is also sold to other criminal enterprises, in addition to providing the feedback intelligence required to create crafty, large-scale fraud campaigns to convince and commit fraudulent crimes against individuals and organisations. This lucrative and seamlessly unstoppable criminal industry continues exacerbating the global cybercrime problem, leading to further exploitations, financial extortions and breaches per annum – affecting millions of individuals’ privacy and safety and organisations’ IP.

Therefore, it is the organisation’s responsibility to manage digital liabilities effectively to reduce business risks and build business resilience by strengthening security controls. The effectiveness of this program is directly related to the maturity of the organisation’s Information Security Governance Program. The Board holds the ultimate responsibility for managing business risks, highlighting their support and influence in maturing the Information Security Governance Program. The program will help the organisation focus on information security in a highly risk-based strategic approach in the areas of risk and resilience, intelligence and awareness, supply chain risk and security operations management.

Risk and Resilience
Due diligence and due care in the security and safety of all assets, in compliance with all industry standards, laws and regulations, are the characteristics of a responsible board in their overall management of corporate risks. Therefore, the board will seek (through governing policies and awareness) to incorporate Information Security Risks into the Enterprise Risk Management Program for risk treatment. These risks must be strategically risk-managed appropriately to build investor confidence, digital trust, and greater opportunities in current and prospective markets, especially in today’s business landscape. The risk management maturity capability should be high, implying that risk management processes and activities occur at all levels of the organisation, which are either quantitively managed and/or optimised. With such a highly matured operational nature, the organisation will incorporate varying strategies, programs, and frameworks guided by international standards (shown below) to provide effective risk management. In fact, it is recommended that an Information Security Management System (ISMS) implement the ISGP based on the ISO/IEC 27001 – the global gold standard on information security, cybersecurity and privacy protection.

Understanding that information security risks do exist and require risk management, a security incident may occur at some point in the organisation’s history that may be severe and operationally affecting. It is, therefore, the board’s responsibility to ensure business resilience mechanisms are strategically governed and supported, having the necessary oversight and resources to function effectively and efficiently – preferably at a high maturity capability level. That implies implementing additional standardised management systems for incident and business continuity management. The integration of these management systems into other corporate management systems highlights the organisation’s resilience maturity capability level.

Some International Standards are:

• ISO/IEC 31000 – Risk Management Guidelines
  Benefits: Establishes the fundamental principles, framework, and process for risk management. It offers comprehensive tools for contextualising risk management in any organisation and provides criteria for monitoring, reviewing, and continually improving risk management practices. The guidance serves as the foundation for integrating risk management throughout the organisation. Adhering to the standard’s principles and processes, organisations can mitigate risk and ensure that risk management is efficient and effective.
• ISO/IEC 27001 – Information Security Management System (ISMS)
  Benefits: Provide the framework to protect the confidentiality, integrity and availability of organisational assets and data, including entrusted data from clients, customers, etc. It improves information security through awareness and audits, measurement mechanisms providing KPIs for management system effectiveness, and risk-based approaches to communicating suggested actions for improvements. It also provides good governance through extensive board oversight and strategic direction while ensuring conformity to laws, regulations, and industry standards. In addition, it helps build the organisation’s reputation through strict security adherence as an organisational value. Lastly, it can generate revenue through the reduction of breaches, efficient security management and operations, and business opportunities due to security reputation.
• ISO/IEC 27701 – Privacy Information Management System (PIMS)
  Benefits: It improves the organisation’s privacy framework through better management of privacy controls. By assisting the organisation in demonstrating compliance with GDPR and other data protection laws, regulations, and standards, it reduces security incidents and their impacts in the event of a breach. In addition, it helps build digital trust in current and expanding markets.

Intelligence and Awareness
In the current business environment, boards must make well-informed decisions regarding the organisation’s risk appetite. Information security risk is crucial in this equation and cannot be overlooked. Hence, boards must continuously receive up-to-date strategic threat intelligence, as information security threats are ever-changing. Additionally, with the emergence of new business opportunities in current and expanding markets and technologies, the organisation’s threat landscape is dynamically evolving, making it imperative for the boards to stay updated. Therefore, this type of awareness is crucial to the board’s security development and decision-making.

To remain strategically informed, boards are required to employ a Chief Information Security Officer (CISO) and/or a Security Advisor – either as a consultant or through a Managed Security Service Provider (MSSP). They should also support threat intelligence management in the information security governance program. In addition, having internal threat intelligence gained from monitoring and measuring information security controls will also help support and improve the program’s effectiveness.

Overseeing and supporting the information security governance program in security and data privacy management, as well as creating and building the security culture, requires comprehensive organisational awareness. Implemented policies should be communicated to the organisation through awareness and training programmes, both internally and externally, thereby creating greater awareness and feedback for successful and effective governance. Organisations utilising international best practices will effectively incorporate communication policies to achieve this purpose (good governance). These practices can come from the ISO standards mentioned in the Risk and Resilience section. In addition, a good organisational communication policy that drives awareness can also create effective human intelligence feedback for continual improvement of policies, programs, and management systems.

In addition, an effective communication policy is essential during an information security incident. Its importance is shown during a breach and/or the activation of the organisation’s business continuity/disaster recovery plan when the incident severity (serious/critical/catastrophic risk) is impacting the organisation.

Supply Chain Risk Management
Information Security risks exist in the services, software and hardware supplied to an organisation. Cybercriminals can use the supply chain to attack the organisation, compromising corporate data and affecting its confidentiality, integrity and availability. In a severe information security incident, IP can be lost, data is breached, operations and services become unavailable, and in some cases, public safety is affected. Supply chain risks cause serious business risks. Therefore, incorporating information security risks arising from the supply chain into the organisation’s ISGP for information security risk management will be crucial for the overall organisation’s risk well-being.

Security Operations Management
If the security cycle were to end (which it does not), it would be here. The board’s oversight and support in strategically maturing security controls’ capabilities are essential to the success, function, and operations of the ISGP. Many key risk-based controls exist and operate here, such as Change Management, Incident Management, Security Operations Centre, Operational Security, etc. These security controls treat information security risk in relation to the organisation’s risk appetite. It is the board’s strategic responsibility to ensure all policies are in place to support the ISMS, in addition to the corporate resources needed for the effective and efficient implementation and management of such control systems. The security maturity capabilities of these control systems determine the scale of an information security incident’s effect on the organisation’s landscape and its resilience capability level.

Conclusion
In the contemporary business landscape, boards, business owners, and senior executives must understand the complexities of information security risks well. This awareness can facilitate responsible governance across all organisational levels, ensuring that sensitive data and proprietary information remain secure and protected from potential breaches and other data risk activities that can affect its confidentiality, integrity and availability. Steps should be taken to mitigate information security risks and safeguard their operations against the ever-present threat of cyber-attacks and other malicious activities. By doing so, the organisation (de-facto the board, etc) demonstrates oversight, in addition to promoting the culture of security and accountability, instilling confidence in shareholders and engendering trust among partners, clients, and customers alike as it seeks greater financial opportunities in varying and expanding markets.