Considerations for cybersecurity oversight in the boardroom
A little more than a year ago, Equifax disclosed to the public that it had experienced a cyberattack, during which hackers stole the names, Social Security numbers, birthdates, and addresses of 147.7 million Americans – more than half the US population. Since then, other major data breach incidents have been reported worldwide, involving—among many other entities—Facebook, fitness tracking app Strava, Adidas, Under Armour, and identification authority Aadhar (compromising the personal information of all 1.1 billion Indian citizens registered under its service).
By now, it should go without saying that cybersecurity is not just an IT issue. Cybersecurity requires enterprise-wide awareness and effort. Cyberattacks hurt a company’s reputation and can lose your customers’ and suppliers’ trust: it can be difficult to shake off the public view that your organization is unreliable or inefficient.
To a large extent, the success of your cybersecurity framework can be measured by how quickly you can detect and deal with breaches. If an organization is slow to respond to or detect a security breach, operational and legal costs will rapidly accumulate, not to mention costs related to crisis management. At the same time, employees are stuck with dealing with the problem instead of going about their usual responsibilities.
Considering how much is at stake for a company, cyber risk needs to be near the top of the agenda during Board meetings. Some key considerations for cybersecurity oversight:
Defining board roles and responsibilities
Establishing clear roles for senior management and board members is key to ensuring accountability and ownership for cybersecurity oversight and cyber incident responses. Have the appropriate lines of communication been set up as part of a holistic cybersecurity framework?
Improving board knowledge
Encouraging board education programs on cybersecurity can empower board members with the confidence to be more proactive with cybersecurity. Board members do not need to be technical experts, but armed with the requisite knowledge, they can provide the perspective and knowhow on using cybersecurity as a competitive advantage.
Communication effectiveness and frequency
Organizations need to implement structures and processes that will enable a consistent and reliable flow of information. Boards should consider whether the quality and frequency of meetings and reporting are sufficient for the organization’s needs and objectives. Boards will not be able to make the right strategic decisions if they do not get relevant information in a timely manner.
Setting the tone at the top for organization-wide culture and competencies
In this volatile business landscape, there are evolving expectations for boards on their duties, transparency, innovation, and so on. Depending on the maturity of the organization’s cybersecurity framework, Boards can set the tone at the top for culture, review current capabilities and talent management, review response plans, and assess existing structures – so that senior management can make improvement.
These considerations are the tip of the iceberg when it comes to cybersecurity oversight. As cybersecurity becomes ever-more complex as technology continues to evolve, Boards have the opportunity to lead their organizations in implementing best practices as well as becoming a cybersecurity leader in their industry.
Want to learn more? Deep-dive into this topic on our upcoming training program for board directors, Cybersecurity Oversight in the Boardroom, on October 22. Alternatively, find out more about our Qualified Risk Director (QRD® ) certification program, designed to provide board directors with a holistic understanding of Enterprise Risk Management and Governance, Risk, and Compliance matters.