Board members are becoming increasingly aware of their own accountability and risk in the event of a cybersecurity breach. By 2020, 100% of large companies will be asked by the Board to report on cybersecurity, an increase of 60% in four years.
What boards are not asking for is a lot of detail they will not understand and that will just cloud their ability to make good decisions on your behalf. Instead, I recommend shaping the board around three important mindsets which I treat as building blocks.
Building Block 1: Cybersecurity is about Risk
The risk is no longer just an IT issue, but an enterprise issue with costs and penalties at every level, from company mission and profit, to employment, and to financial and legal consequences.
Risks are proportionate to threats, vulnerabilities and consequences.
Therefore, boards need to be informed about
- Evolving threats
- Changes in business needs and their association to new security risks
- Increasing regulations
- Policy updates
- Geographic changes in which services have been moved to outsider or cloud applications
Building Block 2: Cybersecurity is about Risk Mitigation
Mitigation is about reducing the threats, vulnerabilities and consequences your company faces.
And it starts with the Board. Often overlooked is their own vulnerability. The Board is privy to a lot of information, much of it confidential, and much of it being communicated on their own devices. Security measures need to be in place for them that reflect the policies and procedures of the company.
By extension the Board needs to be aware of how training and education is implemented and practiced among all employees.
Building Block 3: Cybersecurity is about Risk Mitigation Strategy
A number of boards are now discussing the value of having a cybersecurity specialist on the board in order to bridge the gap between the board’s lack of knowledge and the increasing expertise they must have in front of them. In the least, they must address who in the company reports to them. Ideally, it is the same person each time. Boards are increasingly aware of the time they must now give to cybersecurity issues in their meetings, and to being able to understand these essentials:
- Is our budget congruent with our security need?
- Are we in compliance?
- Is the Business Continuity Plan and Disaster Recovery Plan in place and what are the results of the tests of it?
- What risks must we avoid, what risks are we willing to accept, and what risks must we transfer through insurance?
- Are the right people in the right places?
The CIO that builds these into the working knowledge of the Board will find a Board and CEO ready to build back into them and the IT needs the CIO represents.
Which of these has been most critical in your own work with boards? Tell us below.