Too many organizations function under the assumption that cybersecurity issues are an IT problem. They’re not. In fact, the responsibility of cybersecurity lies with everyone in an organization – including the board.
Rare are the days when you don’t hear about some kind of cybersecurity incident or breach. With the financial, reputational, and regulatory repercussions of these incidents being featured in every major news outlet, board members and directors know that their organizations need to be active in addressing cybersecurity issues, but too often the problem is passed off to an employee who doesn’t have a true seat at the table. Cybersecurity needs to be embedded in the foundation of an organization. Oftentimes, an initiative like that needs to come from the top.
The number of cybersecurity threats grows by the day. So too grows the number of questions about cybersecurity and how to manage risk in a business environment. Can your board effectively and efficiently answer these questions? Who on your board is responsible for managing cybersecurity projects and communicating about the program with all employees within the organization, including internal information security teams?
If cybersecurity isn’t a priority for your board, it’s time to make it one. Here are three things your board must do in order to play an active role in your cybersecurity program:
How you approach cybersecurity will depend on your risk profile as well as the industry you operate in. Some boards delegate cybersecurity initiatives to a standing committee while others address cybersecurity issues as a whole. No matter the approach you choose, all board members must operate under the same core tenet: “I am responsible for cybersecurity.” Everyone on the board will have some oversight responsibility and will need to advocate for cybersecurity to receive adequate time and attention. Remember: it’s not just an IT issue. It is an enterprise issue.
You will also need to guarantee buy-in from the CEO. His or her daily leadership should help to cement the idea that cybersecurity readiness is a priority for everyone within the organization. The board and CEO must be in alignment or your cybersecurity program will be on shaky ground.
Regardless of how your board decides to structure its cybersecurity committee, you need to set expectations with the management team regarding the establishment of a risk management framework, budget, and staffing to manage and mitigate cybersecurity risks.
There is tremendous value in knowing what you don’t know. You know you’re not an expert in cybersecurity issues. Heck, even cybersecurity professionals can only be an expert at just so many things. Cybersecurity is a big job and you need to leverage expertise in many areas. To address this knowledge gap, boards are bringing in directors that have a security background. A cybersecurity board member will not only raise the overall level of cybersecurity awareness and knowledge
To put it simply, you need to secure your business against cyber risk and having fast access to a cybersecurity expert can help you achieve that. A cybersecurity board member can oversee a range of cyber-related issues, including (but not limited to) incident response, risk assessment, due diligence, business continuity plans, malicious insiders, ransomware and malware prevention, cybersecurity staff recruitment, compliance and regulatory issues, and governance. They may also engage the services of a service provider to achieve some of these goals when necessary.
If you do not have someone already on staff to fill this role, your board should consider engaging an external third-party subject matter expert to assist with these initiatives. The important thing is to ensure you do not leave cybersecurity risks unchecked.
At GreyCastle Security, we pride ourselves on the deep level of knowledge, real-world experience, and training possessed by each of our board members. Did you know Mike Convertino, the current Chief Information Security Officer (CISO) at Twitter, is on our board? Mike is in good company, as our board of directors and company leadership are comprised of industry leaders and subject matter experts.
How prepared are you for a cybersecurity incident? Do you understand the legal and financial implications associated with an incident or breach? You will need a comprehensive risk assessment. In keeping with the principles of good governance, it is recommended that your board enlists an independent third party to annually evaluate your cybersecurity program.
In addition to an external audit, you should also perform an internal evaluation. Think about how your board approaches financial controls and audits. You can apply the same guidelines to your cybersecurity program. Establish a routine around your cybersecurity testing and reporting. How often will your cybersecurity measures be audited and by whom? You should be testing, measuring, and reporting on the effectiveness of your program on an ongoing basis.
If your program is static, it is ineffective. Just as attackers are always evolving their methods, you should always be evolving your defenses.
Cybersecurity buy-in doesn’t mean that every board member needs to become an expert in information security. But when you approach cybersecurity in the same way you approach other business concerns (with intelligent, structured administration and investigation), you’ll find a positive shift in corporate culture.