As cyberattacks rise in number and sophistication, board members can take proactive steps to up their cybersecurity game.
In a business environment rife with data breaches, ransomware attacks and other online incursions, cybersecurity has become a frequent topic of discussion in board meetings. While many board members do not possess expertise in data security, mitigating cyber risk is now integral to corporate governance. Even with a skilled CISO or CSO on the executive team, responsibility for data security must be shared, given the magnitude of the threat. Directors can and should bolster their risk management arsenal to lessen their organisation’s online vulnerability.
Inclusion and cooperation are essential, and boards can bridge gaps between cybersecurity executives, the CEO and other executive functions. Fundamentally, those charged with information security need a firm understanding of the business. As Sam Curry of Cybereason explains, “By including them in discussions about immediate and long-term business priorities, customer issues, and overall strategies, directors can ensure that the company’s security plan aligns with the company’s business goals.” Ideally, an organisation’s cybersecurity should be enmeshed with its business strategy.
Most organisations have training programs to address the issue of data security, but many also acknowledge that their programs are inadequate. Curry, writing for Harvard Business Review, recommends implementing a “cybersecurity curriculum” for all employees, aimed at deepening their understanding of how a security incident could affect the entire organisation. It soon becomes clear that cybersecurity reaches far beyond technology.
The likelihood of any company experiencing a breach is high, and the risk level cuts across sectors. Companies and boards must accept this state of affairs, and have a solid plan in place for managing it. For boards, this means knowing the company’s response plan, ensuring that it’s current, and that it includes contingencies for extreme scenarios, multiple incidents, and cases where third parties or customers are affected. The plan should also be thorough enough to compensate for missteps in marketing, public relations, risk mitigation and decision making, which can occur in the event of a crisis.
Taken together, such steps amount to developing a culture of proactive security. Boards, in cooperation with cybersecurity executives and the entire executive team, are ultimately responsible for ensuring that all employees understand the importance of keeping intellectual property, customer data and other business information safe. Having strong cybersecurity practices requires commitment from executive management and the board to respond to crises before they occur.