In the not-so-distant past, cyberattacks were infrequent and rarely made the front page of most major news outlets. Fast forward to today and news of cyberattacks are so frequent, they’re on a fast track to becoming the new normal.
Cybercrime news ‘overload’ causes many businesses and corporations to tune out from the ever-growing imminent threats. These threats damage brands and seriously delete bottom lines—making CEOs and board members more accountable. Yet, 75% of corporate boards are not actively involved in cybersecurity oversight.
Part of the problem is cybersecurity has traditionally fit ‘outside’ the definition of business risk.
The formal education of most CEOs or board members did not include terms like black and grey hat hackers, hacktivists, phishing, shadow IT, the dark web, etc. Historically, most boards left cybersecurity to “their IT guys” to figure out, and in today’s world, that is no longer enough.
Taking on the issue of cyber risk from the boardroom is generating serious discussions about who should handle what. Is it a full-board issue or should it be delegated to an audit risk committee? Boards are rightfully concerned about shareholders and whether the right questions are being asked.
The National Association of Corporate Directors (NACD) suggests moving from an “our-layers-of-defense-make-us-secure” to a “breach-is-inevitable-let’s-be-ready” mindset. That is not to say that organizations should give up on defense. In fact, quite the opposite is true—cybersecurity initiatives should be consuming a larger portion of the IT budget.
But, no matter how much is invested in a strong defense, readiness for a breach must be part of the picture. As a result, directors ask more probing questions about readiness, response, detection, and how to handle a breach if it happens.
After a board becomes more familiar with its organization’s cybersecurity environment, members can drill down to deeper questions. The deeper question topics include threats, insurance, detection, and how their organization finds and responds to incidents. It’s also important to know how the board will be informed of breaches.
All indicators show today’s cyber security buck stops with the board of directors. They can no longer be bystanders because the cyber security risk issue has become as critical as the many other issues boards face.
The Wall Street Journal in an article titled, “Cybersecurity: Boards Must Ask Sharper, Smarter Questions” recommends that boards ask about lessons learned and how changes are made after cybersecurity incidents. They also suggest focusing on the overall evaluation of the security team’s response to the incident. This can lead to more mature discussions on the effectiveness of security controls and the overall security program.
The time to put mechanisms in and find potential partners to assist your board is now.