Cybersecurity is likely appearing even more frequently on the agenda in many board meetings. This doesn’t mean that board members understand how to tackle the issue. After all, most board members have expertise in other forms of risk, and not in how to protect corporate assets from nation-state attackers and highly organized cyber adversaries. The good news is that there are several practical steps directors can take to protect their organizations that don’t require deep cyber expertise: help the CISO or CSO understand the business; ensure that security is included in discussions on new products and services; ensure that the organization develops and implements a cybersecurity curriculum; plan ahead for security incidents; and focus as much on culture as technology.
With news of data breaches, ransomware attacks, and zero-day vulnerabilities making headlines, cybersecurity is likely appearing even more frequently on the agenda in many board meetings. After all, no company wants to become the next brand on the front page of the Wall Street Journal or have their executives testify in front of Congress.
But while cybersecurity is now on the agenda at board meetings, this doesn’t mean that board members understand how to tackle the issue. After all, most board members have expertise in other forms of risk, and not in how to protect corporate assets from nation-state attackers and highly organized cyber adversaries.
The good news is that there are several practical steps directors can take to protect their organizations that don’t require deep cyber expertise:
Help the executives in charge of information security understand the business. While security executives have a reputation for stymieing operations and product development with the burdens of technical operations, their role is actually to enable business. Their job, in fact, depends on it. By including them in discussions about immediate and long-term business priorities, customer issues, and overall strategies, directors can ensure that the company’s security plan aligns with the company’s business goals.
Ideally, security executives should attend board meetings in the same way that a chief financial officer would. Failing that, they should at least be briefed by the board on the organization’s projects and should have a chance to respond with functional plans to support the company’s top priorities.
When meeting with security leaders, directors should ask how their cybersecurity plan will help the company meet one or some of these objectives: revenue, cost, margin, customer satisfaction, employee efficiency, or strategy. While these terms are familiar to board members and business executives, security leaders may need guidance on how to frame their department’s duties in the context of business operations.
Make sure that security is included in discussions on new products and services. Security is often tacked on at the end, or, even worse, after a flaw is discovered in a product that’s already being sold. Incorporating security in the early stages of product development results in safer, more secure offerings and can spare companies the expense, hassle, and potential public embarrassment that accompanies retrofitting security.
Ensure that the organization develops and implements a cybersecurity curriculum for all employees. The learning curriculum should include practical examples of how security incidents could affect the organization. Cautionary tales aren’t meant to spread fear. Instead, these examples should transform cybersecurity from an arcane concept into tangible scenarios understood by everyone.
Plan ahead for security incidents. Companies have to accept that despite their best defensive efforts, they will likely be breached at some point. Boards need to ask about a company’s incident-response plan and ensure that it’s current, and that contingencies exist for extreme scenarios, multiple incidents, or when third parties are affected.
Board members should also make sure that the plan is thorough: marketing, crisis communication, risk mitigation, and decision making in the moment can be overwhelming and lead to errors. Beyond including IT and security personnel, the plan should assign a cross-functional risk committee that has full executive authority. The plan should include marketing and legal personnel to handle public relations efforts or comply with government regulations on publicly disclosing breaches.
Focus as much on culture as technology. Security is so much more than purchasing antivirus software and conducting penetration testing. It also entails changing corporate culture and helping employees realize that the duty of keeping intellectual property, customer information and other business data safe isn’t limited to security and IT personnel. It’s a task that requires the full effort of the entire company.
Ideally, boards should eliminate obstacles that prevent organizations from developing a culture of proactive security. Without strong support from executive management and the board, companies are unlikely to develop strong cybersecurity practices. Directors should make sure that OpEx and CapEx are aligned with risk reduction priorities and projects; security is not done for security’s sake. It’s done for the business.
In the future, familiarity with cybersecurity will become de rigueur for most directors. For the time being, however, several practical steps can be taken at the governance level to greatly reduce the risks of cyber-attacks.