March 11, 2013
Good audit committees need to be able to deal with all types of risks – many associated with matters about which committee members have no personal prior knowledge. Cyber security is a classic example. Digital technologies are fast moving and ever more pervasive. Security matters are by their very nature often shrouded in secrecy. So audit committees have to ask questions and gather information that allows them to properly evaluate both likelihood and impact and put in place mitigation measures proportional to the risk. The same thinking could be used by policy makers too.
I moderated a DIGITALEUROPE briefing for interested European parliamentarians in early March. It was clear that the nature and scale of the challenge is not properly understood – and that’s understandable given the difficult nature of the subject. Those whose information or infrastructure has been compromised rarely advertise the fact. Yet efforts to raise awareness of the threat run the inevitable risk of causing undue fear. Add to these the need to avoid stifling innovation and fragmenting the European market even further and you can see the difficult tightrope policymakers have to walk.
I offer three guiding principles that could form a useful framework for thinking about cyber security. First concentrate on raising awareness and building circles of trust within which information can be shared, and then implement voluntary mechanisms that are easy to use and bring rewards to the participants. And there are rewards, such as early access to information about new threats. Look for good practice that already exists – there is plenty. Secondly be proportionate. Don’t burden SMEs with unnecessary requirements and regulation and distinguish carefully between what really is important to our well-being and what isn’t. Don’t use sledgehammers to crack nuts. Finally, recognise that cyber knows no geographical boundaries; build the circles of trust using international standards and approaches with like-minded entities across borders.
DIGITALEUROPE cares greatly about the safety and security of Europe’s information and infrastructure ecosystem. Our members own or manage a significant proportion of it and have many years’ experience protecting it. We will continue to play a proper role in helping to shape an appropriate and effective policy and regulatory environment to increase that protection. We want Europe’s businesses and consumers to know they can use it safely.
John Higgins is Director General of DIGITALEUROPE, chairs a University audit committee and earlier in his career was involved in the establishment of an cyber information exchange in the UK.digital-europe