Over the last several years, there has been a growing chorus of security professionals advocating for a new responsibility in boards: focusing more on cybersecurity. This is a valid concern, as threat actors in recent years have proven that virtually every organization can be successfully breached—and the damage can be significant.
Aside from direct financial loss, a cybersecurity breach can lead to significant losses in many forms:
But the straw that broke the camel’s back is often attributed to the 2013 Target breach, when many of Target’s board members were sued and an oversight committee recommended replacing the board. You could say this breach is what caused a significant shift in the role of the board of directors. Boards today are not just responsible for overseeing risk—they’re being held liable for their company’s failure to adequately mitigate those risks.
Additionally, boards are feeling increasing regulatory pressure to deeply engage on this issue. Regulators are now asking more about how the CEO, CFO, and general counsel are involved in cyber risk and what the board is doing to oversee that risk.
With all of this in mind, there are several things board members should be doing to adapt to this new role:
It’s really important for board members to understand that while cybersecurity is a critical organizational issue, it shouldn’t be treated differently from other critical issues like financial risks, operational risks, or legal risks. Many boards feel uncomfortable with the subject matter as it’s an emerging and highly technical area, but it should be handled with the same emphasis as other critical matters.
There is currently a debate—with several different schools of thought—about how boards should handle cybersecurity internally.
We’re seeing a trend in companies appointing someone to sit on the board with specific cybersecurity expertise, but this may only be appropriate in certain sectors (like a defense company, for example). For most organizations though, it isn’t appropriate to ask one person to take on the full responsibility. Thus, we recommend either involving the entire board or designating an existing committee (like the audit committee) to examine cybersecurity.
Every organization should be focused on protecting their most valuable information—whether that is credit card information in the retail sector or health care records at a hospital. One of the responsibilities of the board of directors is to ensure that the organization has adopted a cybersecurity policy that keeps the protection of this valuable information in mind at all times and that the strategy in place today is working as it’s meant to.
It’s a bit passé to say board members should be involved in cybersecurity for their organization. But the question often asked is, “To what degree?”
The answer, of course, is dependent upon the organization—but for a board to be involved, they need to have easily digestible information about the organization’s cybersecurity effectiveness given to them. If a CISO can provide excellent metrics to the board and speak in a language they can appreciate and understand, the board will be poised to make the right decisions for the organization.
