Risk Management May 19, 2023
By Jennifer Gregory 4 min read

Many, if not the majority of, big decisions at organizations come from the boardroom. Typically, the board of directors focuses on driving the direction of the company. Because most boards approve yearly budgets, they have significant oversight of resources and areas of investment.

As cybersecurity attacks continue to increase, organizations must make key budgeting decisions that can affect the future of the company. Cybersecurity issues are now increasingly brought up to the board of directors at organizations across all industries.

“Overseeing cyber risk is incredibly challenging,” Dottie Schindlinger, executive director of Diligent Institute, said via email for a recent Cybersecurity Dive article. “With the global cost of cyber crime expected to reach $10.5 trillion by 2025, cybersecurity has become a board-level imperative.”

Role of the Board of Directors in Cybersecurity

Many organizations struggle to understand the role of the board of directors in cybersecurity, especially the level of involvement. According to the Diligent survey What Directors Think, board members ranked cybersecurity as the most challenging issue to oversee, ahead of digital transformation, innovation, new technologies and capital allocations. By providing support and education to your board members, you can reduce stress as well as help them access the information they need to guide your company.

Dr. Wolf Richter, a partner at McKinsey & Co., said during a McKinsey & Co. podcast that the board of directors and the executive leadership need to engage in a critical conversation. He said boards need to be able to answer these questions:

  • When will the attack come?
  • Is the organization prepared to detect it?
  • Is it prepared to stop it?
  • Can it mitigate the effects and get back to normal operations as quickly as possible?

“The board’s responsibility is to make sure that the executive team has a plan, is prepared and is preparing the whole organization for the eventuality of an attack. The question is not whether the attack is going to happen and how to prevent it,” said Richter.

Educating Board Members on Cybersecurity Issues

However, many board members do not have an IT background or experience with cybersecurity. The survey found that less than 9% of an average board has technical expertise. Additionally, half of the companies surveyed have no technical expertise on the board at all, which is especially concerning. Organizations must proactively educate board members so that they can make smart cybersecurity decisions.

  • Explain that cybersecurity means more than data protection. In the Harvard Business Review article 7 Pressing Cybersecurity Questions Boards Need to Ask, authors Dr. Keri Pearlson and Nelson Novaes Neto wrote that many board members think cybersecurity is still about protecting data, which was true many years ago. However, now that digital processes and tools control so much of a business’s operations, a cybersecurity attack can be devastating. For example, a cybersecurity attack can halt the digitally managed supply chain or cause issues with remotely controlled large equipment. By understanding the true impact that an attack has on an organization today, the board has the background to make the most effective decisions — especially in terms of funding.
  • Educate the board on the risks of reputation damage and business disruption. Many board members view the cost of cybersecurity only as fines charged for privacy violations. To help your board understand the importance and impact, talk about how cybersecurity can shut down operations for days or longer, which results in a significant loss of revenue. Additionally, a highly publicized attack leads to permanent reputation damage. This can cause many customers to stop doing business with a company. Share examples from high-profile breaches, especially those in your industry or affecting similar companies.
  • Provide information on how zero trust reduces the costs of a breach. Your board does not need to understand the ins and outs of zero trust. However, you should share how investing in this framework can significantly lower financial risks. According to the IBM Cost of a Breach Report 2022, organizations that do not use zero trust incur an average of $1 million more in breach costs compared to those that do deploy it.

A Focus on Zero Trust

For a nontechnical board of directors, start by explaining that zero trust is not a single technology or process. Instead, it’s a framework of different approaches that you can build on over time. Previously organizations had a physical perimeter with on-premises servers and an office building. However, the increase in remote work has radically shifted that approach. Organizations must now focus on ensuring that every user, device and app has the proper authorizations. With zero trust, you assume that every access request is unauthorized and then prove that it is, in fact, legitimate: thus the name “zero trust.”

  • Keep the board up to date on new cybersecurity disclosure acts. New legislation and policies will drive your organization’s cybersecurity policy. For example, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 was passed into law last year. The Cybersecurity and Infrastructure Security Agency (CISA) is currently developing and implementing regulations about reporting covered cyber incidents and ransomware payments to CISA. Other regional and industry-specific regulations are also in progress, which can impact the need for cybersecurity investment.
  • Bring in experts. Not everyone on your board needs to be a cybersecurity expert. However, the board needs access to security expertise to help guide its decisions. The Diligent report found that 59% of companies are now bringing in consultants or external experts to educate the board, while legal teams brief 48% of boards. Additionally, 47% of boards set up formal director education programs specifically for cybersecurity issues.

Education Makes Your Board Stronger

Your board of directors is the cornerstone of your organization. If the directors are not knowledgeable about one of the biggest issues affecting companies today, they cannot make the smartest business decisions. By proactively educating your board of directors about cybersecurity issues, you can help your board build the foundation your company needs to keep itself as safe from cyber threats as possible.

 |  | 
Jennifer Gregory
Cybersecurity Writer

More from Risk Management
Risk Management   June 9, 2023

Security Awareness Training 101: Which Employees Need It?

4 min read - To understand why you need cybersecurity awareness training, you must first understand employees' outsized roles in security breaches. “People remain — by far — the weakest link in an organization’s cybersecurity defenses,” noted Verizon on the release of their 2022 Data Breach Investigations Report (DBIR). They elaborate that 25% of all breaches covered in the report were the result of social engineering attacks, and when you add human errors and misuse of privilege, the human element accounts for 82% of…

4 min read
Risk Management   June 7, 2023

Secure-by-Design: Which Comes First, Code or Security?

4 min read - For years, developers and IT security teams have been at loggerheads. While developers feel security slows progress, security teams assert that developers sacrifice security priorities in their quest to accelerate production. This disconnect results in flawed software that is vulnerable to attack. While advocates for speed and security clash, consumers must often pay the price when threat actors strike. 48% of developers admitted they were still shipping code with vulnerabilities in 2022. It’s clearly time for a change. Many believe…

4 min read
Government   June 6, 2023

Will Commercial Spyware Survive Biden’s Executive Order?

4 min read - On March 27, 2023, reports surfaced that 50 U.S. government employees had been targeted by phone spyware overseas. On the day of that report, President Joe Biden signed an executive order to restrict federal agencies’ use of commercial spyware. The timing of the order was linked to this specific phone-targeting exploit. But spyware infiltration of government officials — and by government officials — has been a recurring problem globally. Commercial spyware has long been entwined with statecraft and spycraft, both…

4 min read
Risk Management   June 5, 2023

How to Boost Cybersecurity Through Better Communication

4 min read - Security would be easy without users. That statement is as absurd as it is true. It’s also true that business wouldn’t be possible without users. It’s time to look at the big picture when it comes to cybersecurity. In addition to dealing with every new risk, vulnerability and attack vector that comes along, cybersecurity pros need to understand their own fellow employees - how they think, how they learn and what they really want. The human element — the individual and…

4 min read
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature