Until an incident, cybersecurity (or cyber security) isn’t discussed in many boardrooms. The topic is often viewed as a box to be checked while directors devote their attention to the core mission and goals. But the dramatic rise in successful cyberattacks last year highlights the rising costs of cyber threats to companies, their reputations, and their clients.
Board members often don’t have a background in tech. But they don’t need to become IT experts to carry out their oversight responsibilities on information security. Regular security awareness training helps board members and directors understand the key issues and trends in cybersecurity and how those could affect the company. Then they can start asking the right questions to the C-suite to gauge whether company has the right investments, policies, and processes in place to deal with the full spectrum of cybersecurity threats.
By adopting the following practices, board members can gain a better understanding of the risks and feel more confident navigating complex cybersecurity decisions. These practices form a foundation for board members to ask the smart, targeted questions around cybersecurity needed to set actionable goals and hold executives accountable.
Regular training on cyber security awareness, including the most common types of attack and the available solutions. At the very least, annual training should be provided by cybersecurity professionals that not only understand your organization but also cyber threats at industry and local levels.
Regular updates on the state of the firm’s cybersecurity, including a comprehensive review of cybersecurity operations. Rather than a simple incident report when something goes wrong, boards should demand a dashboard that allows them to see the full picture of cyber risks and defenses.
Regular review of the growing obligations and legal risks around data privacy as state, federal, and international legal frameworks evolve.
See every cyberattack and incident categorized, including those that were prevented. Often, directors are only informed about successful attacks, but the total number and type of attacks is important for understanding the overall threat landscape to determine risk. Conduct a cybersecurity incident response table-top exercise with select board members observing management’s response to a sample threat scenario.
Test and verify the organization’s cybersecurity and controls by requiring independent, third-party assessments.
Document cybersecurity discussions at the board level. This will provide hard evidence of boards’ diligent oversight in the event of future litigation, audits, and cyber liability insurance assessments.
These simple, non-technical questions illuminate the responsibilities and budget around cybersecurity, which can then trigger more focused follow up inquiries. Lately our clients have found themselves asking:
- How do we protect sensitive corporate data on smartphones, and what would we do if there was a breach?
- What kind of cybersecurity insurance do we carry, and is it enough?
- What is our budget for cybersecurity, and should it be increasing in light of the heightened threat level?
If board members engage directors and IT by asking questions on a regular basis, they can protect themselves legally. Considering the triple-digit increase in ransomware damages last year, boards should engage with IT partners as if the organization is going to face a major breach next week.
BPI helps leaders understand cybersecurity and protect their organizations (248) 357-3980.