Cyber security has risen as a key issue on the radar of virtually all organisations. As a recent AT Kearney report suggests, cyber-attacks have been topping executives’ lists of business risks for three straight years. In fact, the overwhelming majority of organisations have experienced some form of cyber-attack at some point over the past few years.

This concern is also driven by security and privacy becoming increasingly valued by customers and the media, and by regulators who are now stepping into the topic with the ability to impose business-threatening fines (GDPR in Europe, California Consumer Privacy Act of 2018). In parallel, the cyber risk landscape is ever-complexifying – with new technologies such as AI bringing at least as many new threats as they bring opportunities to improve cyber security.

In this new age of “when-not-if” around cyber-attacks, it is worrying to see so many large organisations still struggling with the delivery of cyber security initiatives. Maturity levels on the topic have remained dangerously low, and in fact, the same AT Kearney study found that more than 60% of surveyed firms had not yet fully developed and implemented cyber defence strategy. Their findings echo those of many firms and research bodies year after year and the situation appears rooted in decades of short-sighted adverse prioritization of cyber security issues. It has also engineered a talent alienation dynamics which only reinforces the problem.

The Board is ultimately accountable for cyber resilience and the only way out of this dire situation can only come from the board down. To that end, it is crucial that cyber security stops appearing periodically at the board-level only as a check-box exercise or after an incident, – but instead starts anchoring itself at that level and informing every other strategic decision.

A way to achieve this could be to frame cyber security as a formal and integral part of a company’s Environmental, Social and Corporate Governance (ESG) strategy, and this is the proposition the Security Transformation Research Foundation analyses in its latest White Paper.

Cyber security is crucial in helping organisations create and protect value – an aspect increasingly backed up by data models. Beyond this straightforward argument, however, security is also becoming a key social and governance topic for all organizations.