In a 2015 survey by Raytheon and the Ponemon Institute, only 22% of participants said that their organization’s IT leadership briefs the board on cybersecurity strategy. Furthermore, only 14% say that their organization’s security leader has a direct reporting relationship with the CEO. In a separate poll by PwC, one-third of corporate board directors said they aren’t sufficiently or at all engaged in overseeing/understanding the company’s annual IT budget, which is an important component of cyberattack prevention. Here’s why it’s past time to get the board on board with cyberattack prevention and how to get started.
Why Boards Need to Be Involved
As SEC commissioner Luis Aguilar put it in his 2014 speech, “Boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril. Even when boards do pay attention to these risks, some have questioned the extent to which boards rely too much on the very personnel who implement those measures.”
It is the board’s responsibility to ensure that shareholders’ best interests are the governing force behind a corporation’s major decisions. Clearly, preventing cybercrime is in the shareholders’ best interest, and it is the board’s responsibility to ensure the company has processes in place to prevent it. Cybercrime not only leads to revenue loss but can also involve costly legal fees, reputational damage and intellectual property theft. As seen in the charts below, the cost and incidence of cyberattacks continues to increase.
Source: 2015 Cost of Cyber Crime Infographic, HP
Where to Start
According to professional services giant KPMG, fighting cybercrime requires a company-wide effort. It’s not enough just to implement some technology security tools and wash your hands of the situation. They propose three key questions to help close the communication gap and get the right information to the board:
- What are the new cybersecurity threats and how do they affect our organization?
- Is our organization’s cybersecurity program ready to meet the challenges of today’s and tomorrow’s cyber threat landscape?
- What key risk indicators should we be reviewing at the executive management and board levels to perform effective risk management in this area?
Establish a framework
If the board does not yet have a process in place for reviewing cybersecurity – an easy way to get started is to adopt a framework that is already in place, such as the NIST Cybersecurity Framework. KPMG also provides a framework that works in conjunction with NIST and is more geared toward the board’s responsibilities as a whole. They propose a framework of board engagement and oversight in the following areas:
- Legal and compliance
- Leadership and governance
- Human factors
- Information risk management
- Business continuity and crisis management
- Operations and technology
Learn more about KPMG’s framework here. Set up regular meetings with the company’s top technology executives, such as the CTO, CIO and Chief Information Security Officer (CISO), if the company has one. These leaders can help the board understand the basics of the company’s IT strategy and the measures taken to prevent cybercrime.
Hire a Cybersecurity Expert
Once your company’s basic vision and goals for cybersecurity have been established, start looking for a cybersecurity expert to join your board. Board-level cybersecurity experts are hard to come by, and they prefer companies that demonstrate their commitment to the issues. Suzanne Vautrinot, a former major general and commander for the U.S. Air Force who helped create the Department of Defense’s U.S. Cyber Command has turned down multiple offers for board positions. According to CSO, It’s important to her to see that the company making the offer is serious about their cybersecurity initiatives and not just checking a box. She also turned down positions where she thought the board wouldn’t involve her in any other matters beyond security. In order to attract a valuable cybersecurity expert to your company’s board, CSO recommends they look at their own cybersecurity track record and discuss a vision for security before interviewing potential board members.
