Many, if not the majority of, big decisions at organizations come from the boardroom. Typically, the board of directors focuses on driving the direction of the company. Because most boards approve yearly budgets, they have significant oversight of resources and areas of investment.

As cybersecurity attacks continue to increase, organizations must make key budgeting decisions that can affect the future of the company. Cybersecurity issues are now increasingly brought up to the board of directors at organizations across all industries.

“Overseeing cyber risk is incredibly challenging,” Dottie Schindlinger, executive director of Diligent Institute, said via email for a recent Cybersecurity Dive article. “With the global cost of cyber crime expected to reach $10.5 trillion by 2025, cybersecurity has become a board-level imperative.”

Role of the board of directors in cybersecurity

Many organizations struggle to understand the role of the board of directors in cybersecurity, especially the level of involvement. According to the Diligent survey What Directors Think, board members ranked cybersecurity as the most challenging issue to oversee, ahead of digital transformation, innovation, new technologies and capital allocations. By providing support and education to your board members, you can reduce stress as well as help them access the information they need to guide your company.

Dr. Wolf Richter, a partner at McKinsey & Co., said during a McKinsey & Co. podcast that the board of directors and the executive leadership need to engage in a critical conversation. He said boards need to be able to answer these questions:

  • When will the attack come?
  • Is the organization prepared to detect it?
  • Is it prepared to stop it?
  • Can it mitigate the effects and get back to normal operations as quickly as possible?

“The board’s responsibility is to make sure that the executive team has a plan, is prepared and is preparing the whole organization for the eventuality of an attack. The question is not whether the attack is going to happen and how to prevent it,” said Richter.

Educating board members on cybersecurity issues

However, many board members do not have an IT background or experience with cybersecurity. The survey found that less than 9% of an average board has technical expertise. Additionally, half of the companies surveyed have no technical expertise on the board at all, which is especially concerning. Organizations must proactively educate board members so that they can make smart cybersecurity decisions.

  • Explain that cybersecurity means more than data protection. In the Harvard Business Review article 7 Pressing Cybersecurity Questions Boards Need to Ask, authors Dr. Keri Pearlson and Nelson Novaes Neto wrote that many board members think cybersecurity is still about protecting data, which was true many years ago. However, now that digital processes and tools control so much of a business’s operations, a cybersecurity attack can be devastating. For example, a cybersecurity attack can halt the digitally managed supply chain or cause issues with remotely controlled large equipment. By understanding the true impact that an attack has on an organization today, the board has the background to make the most effective decisions — especially in terms of funding.
  • Educate the board on the risks of reputation damage and business disruption. Many board members view the cost of cybersecurity only as fines charged for privacy violations. To help your board understand the importance and impact, talk about how cybersecurity can shut down operations for days or longer, which results in a significant loss of revenue. Additionally, a highly publicized attack leads to permanent reputation damage. This can cause many customers to stop doing business with a company. Share examples from high-profile breaches, especially those in your industry or affecting similar companies.
  • Provide information on how zero trust reduces the costs of a breach. Your board does not need to understand the ins and outs of zero trust. However, you should share how investing in this framework can significantly lower financial risks. According to the IBM Cost of a Breach Report 2022, organizations that do not use zero trust incur an average of $1 million more in breach costs compared to those that do deploy it.

A focus on zero trust

For a nontechnical board of directors, start by explaining that zero trust is not a single technology or process. Instead, it’s a framework of different approaches that you can build on over time. Previously organizations had a physical perimeter with on-premises servers and an office building. However, the increase in remote work has radically shifted that approach. Organizations must now focus on ensuring that every user, device and app has the proper authorizations. With zero trust, you assume that every access request is unauthorized and then prove that it is, in fact, legitimate: thus the name “zero trust.”

  • Keep the board up to date on new cybersecurity disclosure acts. New legislation and policies will drive your organization’s cybersecurity policy. For example, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 was passed into law last year. The Cybersecurity and Infrastructure Security Agency (CISA) is currently developing and implementing regulations about reporting covered cyber incidents and ransomware payments to CISA. Other regional and industry-specific regulations are also in progress, which can impact the need for cybersecurity investment.
  • Bring in experts. Not everyone on your board needs to be a cybersecurity expert. However, the board needs access to security expertise to help guide its decisions. The Diligent report found that 59% of companies are now bringing in consultants or external experts to educate the board, while legal teams brief 48% of boards. Additionally, 47% of boards set up formal director education programs specifically for cybersecurity issues.

Education makes your board stronger

Your board of directors is the cornerstone of your organization. If the directors are not knowledgeable about one of the biggest issues affecting companies today, they cannot make the smartest business decisions. By proactively educating your board of directors about cybersecurity issues, you can help your board build the foundation your company needs to keep itself as safe from cyber threats as possible.

More from Risk Management

The Growing Risks of Shadow IT and SaaS Sprawl

4 min read - In today's fast-paced digital landscape, there is no shortage of apps and Software-as-a-Service (SaaS) solutions tailored to meet the diverse needs of businesses across different industries. This incredible array of options has revolutionized how we work, providing cost-effective and user-friendly tools that streamline tasks and boost productivity. However, this ever-expanding application ecosystem comes with its challenges: namely, shadow IT and SaaS sprawl. According to a recent study by Entrust, 77% of IT professionals are concerned about shadow IT becoming a…

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…