Boards play a major role in ensuring cyber risk is managed. Given the dynamic nature of technology, this is an ongoing effort that must continuously improve over time. Cybersecurity gaps and vulnerabilities create regulatory, criminal, legal, and brand risks, all of which need to be understood and overseen by the board. Somewhere in the world, cybercriminals are planning an attack on your company. They may target intellectual property, competitive intelligence, or information that can be used for fraud, blackmail, or extortion. By focusing on educating board members on cyber risk through transparent reporting on operational and financial impacts, CXOs can help directors better understand their organization's technology-driven risk exposure.
Board-level action items
CXOs play a key role in informing the oversight and governance of data and IT systems, but some things nevertheless remain the board's responsibility. First, boards must achieve a baseline understanding of their organization's technical capabilities and processes. This will help directors make informed decisions when prioritizing and allocating cybersecurity investments. They will also become better at risk oversight as they learn more about the legislative and regulatory framework associated with cyberattacks.
Boards must evaluate the organization’s exposure to cyber risks and assess its risk posture when setting the spending levels and relative priorities of investments. When done correctly, they will focus on cybersecurity as a part of the broader risk agenda. Security executives must brief boards on these matters before any major cyber incident occurs to ensure your organization is adequately protected and prepared. The most effective steps boards can take to reduce their organization’s cyber risk must be put in place before an attack.
Here are some preventative steps CXOs can advise boards to take now that will benefit the company, customers, employees, and shareholders in the event of a major cyber incident:
- Ensure there is direct accountability for cyber risks from an executive, leadership, and board perspective
- Know how each incident will be dealt with and communicated
- Verify security incident preparedness exercises and tests occur through simulation of actual incidents
The CEO has the ultimate responsibility for the success of the company, and this includes managing cyber risks. They may delegate certain tasks to key company roles, e.g., the CRO and CISO. However, since cyber risks can come from any part of the organization, other structural support needs to exist. Boards must facilitate a culture where every team member is aware of cybersecurity risks and adequately trained.
The board’s role is to manage risk in order to ensure that business can be conducted in a secure manner. Cybersecurity is interwoven throughout all the risk areas that concern the board. Cyber risk oversight impacts everything from the company’s growth to its stability. Cyber threats can impact its reputation and have geopolitical implications, as well as result in legal and regulatory complications. As boards cover the enterprise risk management framework and policies, they own the responsibility to uphold the internal controls of risk management, including those created by cyber.
It is also very likely that boards will be expected to have cybersecurity experts among their members and a firm grasp of the core tenets of security and risk. With any cyber strategy, it is important for board members to understand the process maturity of the organization they serve. Many companies now have their expertise assessed annually or regularly against the US Government’s National Institute of Standards and Technology (NIST) framework (Cybersecurity | NIST). Typically these assessments are run by external parties such as PWC, EY, Accenture, etc., and often include comparisons against industry peers. As noted above, the SEC also requires periodic disclosure on the processes in place for management and the board to assess and manage cyber risks.
According to the National Association of Corporate Directors (NACD), there are six principles outlining cyber risk management for boards. While these are ultimately the responsibility of company directors, today’s IT and security leaders must facilitate an understanding of:
- Cybersecurity as a strategic business enabler
- The economic drivers and impact of cyber risk
- Aligning cyber risk management with business needs
- Ensuring organizational design supports cybersecurity
- Incorporating cybersecurity expertise into board governance
- Encouraging systemic resilience and collaboration
- Boards play a major role in overseeing cyber risk. CXOs must help them to better understand the technology-driven risks facing their organization and provide oversight.
- Boards achieve a baseline understanding of their organization's technical capabilities and processes, which CXOs must be able to describe in non-technical terms. This will help inform cybersecurity investment decisions.
- Boards will evaluate their organization's cyber risk exposure when setting spending priorities.
- Preventative steps like ensuring accountability, incident response plans, and preparedness exercises are key. Encouraging a cyber-aware culture is also important.
- Boards are expected to have cybersecurity expertise among their members. CXOs, along with organizations like NIST and NACD, can provide guidance on effective cyber risk oversight.
This is part two of a series of posts dedicated to helping CXOs understand and excel in their board-level interactions. The next installment will focus on conveying cyber risk maturity concepts to the board.
What to read next