Research shows that four in five American companies have been the target of an attempted systems hack. That’s an astonishingly high number. These attacks aren’t taking place because businesses are not investing in cybersecurity products and services. Far from it, companies were projected to splurge more than $90 billion on IT security products in 2018 according to a Gartner research. Yet somehow, this enormous spend isn’t necessarily translating to fewer attacks. That’s in large part due to the weak or absent direction and oversight of enterprise cybersecurity at the organization’s highest level. Companies are faced with a dearth of context and direction. Many businesses don’t have clarity on how secure they should be, what amount of risk is acceptable, and what they are ready to spend to lower risk to an acceptable level.
For too long, many companies have seen cybersecurity as something best left to the discretion of the CISO, CSO, CRO, CIO, or CTO. This model isn’t sustainable no matter how much money businesses have thrown into acquiring new cybersecurity systems.
The board’s involvement is paramount
Cybersecurity isn’t just another tech issue that can be addressed by a strictly tactical approach. A cyberattack can have a profound impact on not just the operations of a business but also the broader reputation and brand of the company. The average cybercrime incident leads to millions of dollars in direct and indirect losses. A board’s primary responsibility is risk-based strategic oversight with a high level view of the effectiveness of risk management policies and programs. Due to the far-reaching ramifications of tech for the modern enterprise, these risk management policies must of necessity include cybersecurity. Even for businesses that do discuss cybersecurity at the board-level, they often do it relatively passively. The board-level responsibility for developing a cybersecurity policy and actively monitoring cybersecurity risk management is usually left to the audit committee. It’s not that boards are deliberately indifferent. Rather, CIO or CISO presentations follow a predictable routine. The jargon-laden lecture goes over the heads of all but a tiny minority of board members. Nevertheless, given the potential impact of IT security risks, cybersecurity must make it to the full board meeting agenda.
Boards must be principal champions of enterprise cybersecurity
At least once a year, boards must have a highly interactive engagement with management. They must ask the hard questions, champion enterprise-wide awareness and education programs, and emphasize the prioritization of cybersecurity risk.
Boards must structure and guide conversations with management. They should insist on language that breaks down tech concepts into a clear and simple language. Boards should seek to establish how the business is lowering the risk of a cyberattack. They must encourage the use of trends and other quantitative metrics that would readily unearth a lapse in security if one were to occur.
Management, on the other hand, must provide a brief of significant cybersecurity events that have happened since their last board presentation, how they were discovered, what the response was, and what lessons were learnt that would help prevent a similar incident in future.
The following is a look at some of the most important building blocks of effective board oversight of cybersecurity.
Understand the complexity and scale of the threat landscape
Board members typically possess varying degrees of cybersecurity knowledge. In fact, except for tech companies, most boards will have only a minority of members with the technical background required to understand cybersecurity in depth. Fortunately, boards don’t need to get into the technical details.
They do need the basic IT knowledge required to make the right high-level strategic cybersecurity decisions. That includes getting a sense of the changing threat landscape and a working knowledge of the major types of attacks and controls. They must appreciate that different types of attacks (malware, DDoS, phishing, packet sniffing, brute force password attacks, etc.) will require different types of defenses and controls.
Understand the dangers facing an Internet-based business
Boards must recognize the security complexities that come with running part or all of the business online. Offering products or services via the Internet renders traditional security defenses inadequate. Companies are right to leverage the worldwide web in offering convenience to customers and partners. Nevertheless, they must ensure their online channels do not become conduits to launch an attack against them.
Understand that absolute control is unfeasible
Boards must understand that absolute cybersecurity defense doesn’t exist. They cannot determine whether the enterprise’s network, hardware, operating systems, applications, and databases are secure by a simple yes-or-no response. Remember, there’s no business that runs in an environment that’s 100 percent risk free.
The key is defining a well-thought-out acceptable level of risk that wouldn’t prevent the business from operating successfully. Risk reduction is expensive and the board must ultimately make a decision on what risk mitigation it can afford and at what point it may be time to discontinue a business product or process or transfer the risk via insurance.
When defining acceptable risk, it helps to have a reference point such as peers framework, industry benchmarks, regulatory requirements, and cybersecurity standards.
The point is for the organization’s executive management to articulate their cybersecurity risk boundaries and get the board to understand and sign off on it. This puts stakes in the ground and provides a guiding set of principles that form the basis for IT security decisions.
Note that the risk appetite statements shouldn’t be static. Instead, they must evolve in the wake of new information, cyberattacks, system changes, and a re-calibration of the organization’s overall strategy.
Focus on local risks
The board must focus on local enterprise-specific risks. Every month or two, a major cybersecurity breach captures international headlines. The dramatic (sometimes sensationalized) news of such events will often get boards everywhere to sit up and ask whether their business is immune from a similar attack.
There’s nothing necessarily wrong with that. Nevertheless, there are likely more immediate and relevant cybersecurity risks that the board should devote more time and resources to. Boards should always be open-minded and flexible but shouldn’t let news headlines drive their cybersecurity agenda.
Listening to those responsible and the experts
On matters cybersecurity risks, boards will usually hear from the CISO, CSO, CRO, CIO, CTO, or other executives charged with managing and monitoring cyber risks. They’ll also listen to external auditors and third-party experts. Both the internal and external experts can provide valuable tips on how to best manage the evolving cyber threat landscape.
At the minimum, the board’s conversation with internal and external experts should cover cybersecurity in the context of defenses, customers and incident response.
Does the business have effective defenses that are cognizant of the threat landscape? Does it monitor customer activity and behavior to minimize the risk of identity theft and unauthorized use of access credentials? If hackers or malware successfully breach defenses, is the business adequately prepared to quickly stop and contain it?
Enterprise cybersecurity: It’s the sensible thing to do
Cybersecurity is increasingly becoming a top-of-mind topic for boards. In light of this, board members must adopt a proactive stance in quantifying and monitoring cybersecurity risk. Boards must understand that cybersecurity is an enterprise-wide risk. It’s not just an IT issue as many assumed in the past.
Ultimately, boards are accountable to the company’s shareholders and must demonstrate clarity on the business’ health and direction. It’s therefore sensible that they take charge of cybersecurity. That’ll prevent their business becoming the next unfortunate statistic of a cyberattack.
Featured image: Freerange Stock