Corporate security and cybersecurity are no longer an IT problem.

A recent Gartner survey of nearly 1,000 people in large organizations found that corporate and cybersecurity have been elevated and now typically are governed by the Board of Directors.  In fact, Gartner’s results showed 71 percent of respondents saying IT risk management data influences decisions at the board level and reflects an increasing need to deal with IT as part of corporate governance. 

So how do board members educate themselves on the key points of securing a company’s corporate assets?  It involves three basic tenets:

  • They must understand security drivers and risks.
  • They must develop principals to oversee cybersecurity.
  • They must assess the risks for ensuring the organization’s safety.

Ask the Right Questions

Every board member needs to ask some crucial questions in identifying a major risk to the organization’s security: “Where is our organization’s data, who owns it and how important is it to the business?”  With the proliferation of bring-your-own-device (BYOD) scenarios, corporate data lives in and is accessible through numerous places, ranging from servers and desktops to personal devices like tablets and smartphones.  Whether the data is located in the cloud or on an employee device, establishing policies that protect it is crucial.

Recent public security breaches have focused on internal and cybersecurity threats.  As a result, Board of Directors must work with their CEOs and CIOs to identify which risks are most crucial to their organizations.  It’s crucial for C-level executives and board members to work together to identify the risks that are most threatening to their organization instead of just blindly purchasing the latest security software upgrade.   Security is unique to each organization and a universal solution does not always work for every company.

Unfortunately, many organizations outsource their data and security needs, leaving corporate security in the hands of a cadre of vendors and doubling or possibly tripling the security risk.  For example, the Target breach occurred when nefarious individuals compromised the credentials of an outside contractor through a combination of phishing emails and malware.  In the end Target’s chairman, president and CEO was forced to resign as he was ultimately responsible for the security failure.

While IT managers are responsible for managing the day-to-day activities of vendors, board members should know who these vendors are and if they offer a third-party assurance program.  Understanding what provisions are provided in the contract with breach notifications are equally important. In general, it’s just as important to assess security risks as it is to determine financial risks.

Five principles all boards should consider to enhance their oversight of cybersecurity

The National Association of Corporate Directors (NACD) provides five guiding principles to consider when taking an active role in corporate security decisions:

1.       Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.

2.       Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.

3.       Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.

4.       Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget.

5.       Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.

These five simple, but comprehensive principles state that the security buck must stop with the board. CIOs and IT Directors must focus on the day-to-day activities, in which security is one aspect of the job. There’s little doubt that security is top-of-mind for CIOs in 2015, with Piper Jaffray reporting CIOs planned to up networking security and endpoint security more than 75 percent.  Still, CIOs are responsible for upgrading equipment and incorporating BYOD policies. They are stretched thin and often must appease the CEO.  IT is being commoditized and cannot solely shoulder the burden of security vigilance.  Board members must use their clout to guide their organizations in adopting, protecting and assuring the latest security measures.

Risk assessment is the key to evaluating security in every organization

Finally, board of directors must objectively evaluate the organization’s overall security health.  Key questions to ask are:

  • Has the company identified weak or non-existent safeguards through a security assessment?
  • When was the last security audit or assessment?
  • Were there any findings?
  • Are you confident the team has corrected any findings from the reports?
  • Have you identified information assets and their associated information security requirements?
  • Have you assessed information security risks and developed a plan to treat information security risks?
  • Have you selected and implemented relevant controls to manage unacceptable risks?

Board-level directors should insert themselves into the security discussion regularly and should demand regular updates from their C-level executives.  While balance sheets, new business, spending and sales projections garner the most board-level attention, security must be made a priority to protect the company’s greatest asset – its data.

Check back in the October 27 Security eNewsletter for part two of this series, focusing on important security compliances and metrics.