By Simone Petrella, Chief Cyberstrategy Officer, N2K
Today’s directors often feel uneducated about cybersecurity and thus ill equipped to tackle cyber risk decisions. When discussed at board meetings, cybersecurity risk is typically relegated to the audit committee or presented as an IT issue rife with technical jargon. Directors don’t have to settle for poor board education. It is possible to articulate and respond to cybersecurity challenges within the familiar and broader context of enterprise risk management, allowing for well-considered business decisions.
The first step in addressing cybersecurity challenges is to institute a culture of security across the entire enterprise. This is accomplished via effective communication between boards, management, and security leaders. This allows for transparent discussion of cyber threats and corporate vulnerabilities.
That type of culture has to start at one place: the top.
Cybersecurity Starts at the Top
The board’s role in prioritizing to cybersecurity issues is paramount. It must ensure management is equipped to manage the cyber risks with appropriate knowledge, staffing, and resources.
Directors, by definition, ask pointed and reasoned questions to ensure their organizations are operating in accordance with their vision, mission, and goals. The board must also set the expectation that it is OK, even welcome, to frankly and openly discuss corporate cybersecurity risks. If the board takes cybersecurity seriously and treats it as a necessary investment enabling business success, then management will follow suit.
Cybersecurity is like the brakes on your car: they’re not there to force you to go slower, they’re there to enable you to move faster. Making cybersecurity a priority at the board level enables the entire executive team to make more aggressive and confident decisions in areas that can significantly advance the business.
Many boards now rely on briefings from their Chief Information Officer (CIO) or Chief Information Security Officer (CISO), often through the lens of the audit committee. Boards rarely have the opportunity to review the company’s overall security posture.
And the paltry cyer knowledge they do have is not enough to properly prepare them to ask the right questions and process the answers. While directors’ ability to ask pointed questions to their management team is critical to ensuring cybersecurity integration, it requires more than asking a few questions off a checklist at an annual offsite or quarterly meeting.
The Current Approach Falls Short
The shortcoming in the current approach to board education is that it doesn’t provide directors a base-line level of literacy around cyber issues. This fails to equip the board with a level of comprehension that allows them to do the one thing boards do best: ask strategic questions and make informed business judgments.
Most of the resources available through current board education require directors to sift through arcane, dense material and that requires significant self-study.
Furthermore, information is often presented through the lens of cybersecurity experts without any consideration of how it fits into a broader paradigm. This is opposite of insight on governance issues that typically draw on a wealth of in-depth experience from peers. In cybersecurity, the burden is currently on the directors themselves to extract the most relevant information and apply it to their own corporate situations.
Cybersecurity as a Risk-Influencer
As cybersecurity has increasingly become one of the top strategic priorities among enterprises, it has become just as clear that the laws and responsibilities surrounding corporate governance demand directors and officers become more actively engaged.
Directors and officers have the unique responsibility to empower and equip their corporate leadership with a comprehensive strategic understanding of cybersecurity issues, enabling them to make sound and informed business judgments that impact corporate governance and overarching business risk. Without leadership and education, the board of directors can’t reasonably expect to be equipped to appropriately address and respond to material cyber incidents, potentially exposing them to liability.
Breaches and cyber incidents may ultimately be inevitable, but they are no less inevitable than the physical or financial risks boards are already adept at addressing. With structured education and preparation, boards can confidently incorporate cybersecurity as just another enterprise risk within their companies.
At N2K, we aim to arm board members with an understanding of how cybersecurity impacts the risks of your most valuable assets. Consider attending Cybersecurity and the Board in Scottsdale, Arizona this October, a future event, or getting in touch with us to schedule training in your own boardroom.