Cybersecurity and data breaches have become top concerns for companies. As a result, there’s a big demand for adopting new cyber defense technologies, but lack of knowledge around choosing the most suitable solutions. Generally, CSOs and CISOs are charged with protecting the organization, but with today’s constant cybersecurity developments, it’s time for the entire organization to get involved. As trustees of the organization’s value and growth, it’s critical for boards of directors to start weighing in on cybersecurity activities similarly to their oversight of the financial ones.
There are many reasons why cybersecurity goes beyond the organization’s daily operational activities and is imperative for board oversight:
1. Financial implications.
- Costs. Cybersecurity incidents cause substantial expenses and losses, including data breach notification expenses, forensic and regulatory investigations, regulatory fines, attorneys and consultants, and remedial measures.
- Credit rating. Failing to employ proper security measures may adversely impact the organization’s credit rating
- Stock value, liquidity and operational risks. After a breach, a company’s stock price is very likely to drop, substantially contributing to financial losses.
2. Operational disruption. DDOS attacks can shut down departments or servers, and APT attacks and massive data breaches can cripple operations and profits entirely.
3. Brand perception/reputation. Even the smallest security incident can negatively affect a company’s ability to compete effectively and harm customer and shareholder confidence.
4. Legal liability. Companies might face lawsuits from customers and shareholders for failing to comply with regulatory data safety and privacy requirements.
5. Regulatory compliance. The board must be informed about new legislation to oversee compliance with cybersecurity policies for protecting consumers’ sensitive personal information, as well as data security and usage.
6. Policies that go beyond IT. Corporate policies, such as “Bring Your Own Device” (BYOD), affect the degree of security to the organization’s sensitive information, for example, a device that has access to the organization’s network gets stolen or hacked due to a malicious app on the employee’s personal device.
Since cybersecurity measures aren’t one-size-fits-all, cyber risk management must be assessed based on a company’s specific industry and internal processes. Many directors feel unprepared to address cyber threats because they lack the necessary technical skills to fully understand the risks. Below are tips on how to address cybersecurity with your board:
1. Speak the Board’s Language: Use language focusing on organizational growth, operations and value. This enables the directors to evaluate the overall cybersecurity risks and management activities, as well as decide upon an agreed level of risk, especially in the event of post-breach liabilities deriving from regulators, the media, and even potential plaintiffs.
- Tie in the risks to the organization’s business and financial bottom line (e.g. purchasing a cybersecurity solution that costs X could decrease the risk of a breach by Y, or purchasing insurance that costs A could offset liabilities that cost B).
- Provide information that ties into the overall responsibilities of the board, such as: strategic planning, increased profitability, corporate governance, etc.
- Present the effect of cybersecurity measures on the organization’s competitiveness regarding expanding into new markets or utilizing innovative technologies.
- Convey the financial, personal, legal, insurance and regulatory cybersecurity risks and the costs of minimizing them, ranging from regulatory requirements to employee education.
2. To facilitate the conversation and evaluate current cybersecurity measures, provide the following information:
- The organization’s most valuable data assets that require the most protection.
- The most realistic threats to these data assets and who has access to this data.
- How these valuable data assets are protected (e.g. encryption) and the relevant attack vectors and cyber threats.
- The security measures the organization currently has in place to protect endpoints, mobile devices and servers. What’s lacking?
- How a breach would be detected and remedied and how long it would take. Does the organization conduct penetration testing?
- The specific roles and responsibilities in the organization’s incident response plan and internal/external disclosure and notification procedures.
- What security measures and incident response plans do other companies in the industry have?
- Is the legal department up-to-date on legal and regulatory requirements?
- How often are employee cyber-education activities conducted, updated and evaluated?
- Is the organization spending appropriately according to its security priorities?
- Is the organization’s cybersecurity strategy aligned with its business objectives?
It’s essential that boards understand the organization’s cyber risks in order to successfully oversee overall company performance. CISOs and CSOs who can clearly convey cybersecurity to the board promotes better navigation of the organization in today’s uncertain cybersecurity world.