You would be forgiven for assuming that with the number of major cyberattacks and data breaches that make the headlines every month, boards would automatically make cybersecurity a priority. For too many businesses though, cybersecurity only temporarily receives serious attention from the board before fading into the background until the next headline-making breach.
This invisibility can be frustrating for cybersecurity managers, businesses executives and company shareholders. Yet, none of these stakeholders can afford to let cybersecurity be relegated to a footnote of board meetings. The good thing is cybersecurity’s invisibility at board-level is not inevitable. A lot of companies have managed to make cyber risks a top priority. Here’s some of the ways how.
1. Focus on ROI and Risk as Opposed to Threats and Vulnerabilities
Security monitoring and threat intelligence reports can demonstrate the rise in cyberattacks. They cannot however answer how safe the organization is or what is the potential cost to the business of a successful attack. Security reports and presentations to the board must be designed to communicate a holistic perspective of risk and cost.
Virtually all boards will recognize that there are cost repercussions of a successful attack. What they need guidance on is how the cost of risk mitigation compares against the cost of potential exposure. Chief Information Security Officers (CISOs) should convert risks into actual losses. For instance, what’s the potential impact of a cyberattack on shareholder value and stock price?
Of course, no organization has the financial muscle to protect itself from every possible cyber threat out there. Focus on ROI and risk is all about helping the board strike the right balance between controls and business operations.
2. Have a Cybersecurity Champion in the Board
It’s always easier to drive a company-wide cause when you have someone at the highest level of decision making who understands and supports it. In recent years, organizations have sought to diversify boards by bringing in a wide range of backgrounds, skills and perspectives including investment management, human resources, risk management and information technology.
In staying with this trend, businesses should have a cyber-risk expert in their boards. It’s especially for organizations in industries that are frequent targets for cybercrime such as financial services, utilities, healthcare and retail. With a security champion in the board, there will be someone who is equipped with the insights required to keep security at the center of board conversation. They can be an asset in helping their less tech-inclined colleagues make sense of cyber risks.
3. Demonstrate Cyber Insurance Cannot Cover all Losses
Cyber insurance is a recent but potent tool for mitigating cyber risk. It typically covers liabilities that arise due to a data breach. These include infrastructure damage, data recovery, system repair, legal fees and any notifications sent out to affected customers. While it is an important addition to the arsenal businesses can wield against cyber risks, it can inadvertently give boards a false sense of safety.
Boards must be shown that cyber insurance does not cover all losses such as those arising from the theft of intellectual property or the upgrade of infrastructure to prevent future attacks. In the wake of a ransomware attack for instance, cyber insurance would give a business the confidence not to pay the ransom but will not mitigate the losses from reputational damage.
Boards should instead expect a multi-faceted approach where cyber insurance is a welcome addition to an array of risk management tools that drive risk prevention, cyber resilience and rapid incident response.
4. Emphasize Cybersecurity not an IT Problem
Take a look at the world’s most valuable companies today and compare that to the situation 30 years ago. Data is certainly the new oil. And with data and IT systems as the engine that runs modern organizations, cyberattacks are considered the biggest existential threat to organizations in 2022. Cyber risks must therefore be up there in discussions about the most serious risks a business faces. This is not always the case though.
Aside from the CISO, CIO and perhaps one or two concerned board members, many boards and C-suite executives still see cyber risk as an IT problem. And as an IT problem, it can be taken care of by simply throwing new software and revised system configurations at it. It’s a costly mistake. Boards have to be reminded as often as is needed that cyber risks are enterprise risks. If a ransomware attack is successful, it could cripple the entire business and not just the IT department.
5. Advise that Cyber Risks are Rapidly Evolving
Boards will provide direction on a number of issues. When they do sit and approve a matter, they may not expect to deal with the same issue weeks later. This mindset can be problematic for cyber risks. Controls that were put in place just weeks ago may be rendered ineffective by a new unforeseen development.
So boards should be advised that just because they made a decision on a certain cybersecurity matter during their last meeting, does not mean they will not later have to change that decision weeks later in favor of a better solution. The need for this flexible mindset is not unique to the management of cyber risks. However, acquires exceptional importance given how rapidly the cyber threat landscape evolves.
The Board Cannot Afford to Ignore Cybersecurity
Cyber threats continue to rapidly evolve in sophistication and scale. The management of cyber risks has always involved a tradeoff between risk and cost. This balance will continue to be important. Organizations today face the most formidable cyber criminals in history. These range from organized crime syndicates to state-sponsored hacker groups.
With so much at stake, businesses cannot afford to have boards that are not hands-on in cyber risks. For the board to give cybersecurity the priority it deserves, it must be equipped with the information and capability required to make the right risk management decisions for the organization.
Photo credit: Pixabay