May 19, 2023 By Jennifer Gregory 4 min read

Many, if not the majority of, big decisions at organizations come from the boardroom. Typically, the board of directors focuses on driving the direction of the company. Because most boards approve yearly budgets, they have significant oversight of resources and areas of investment.

As cybersecurity attacks continue to increase, organizations must make key budgeting decisions that can affect the future of the company. Cybersecurity issues are now increasingly brought up to the board of directors at organizations across all industries.

“Overseeing cyber risk is incredibly challenging,” Dottie Schindlinger, executive director of Diligent Institute, said via email for a recent Cybersecurity Dive article. “With the global cost of cyber crime expected to reach $10.5 trillion by 2025, cybersecurity has become a board-level imperative.”

Role of the board of directors in cybersecurity

Many organizations struggle to understand the role of the board of directors in cybersecurity, especially the level of involvement. According to the Diligent survey What Directors Think, board members ranked cybersecurity as the most challenging issue to oversee, ahead of digital transformation, innovation, new technologies and capital allocations. By providing support and education to your board members, you can reduce stress as well as help them access the information they need to guide your company.

Dr. Wolf Richter, a partner at McKinsey & Co., said during a McKinsey & Co. podcast that the board of directors and the executive leadership need to engage in a critical conversation. He said boards need to be able to answer these questions:

  • When will the attack come?
  • Is the organization prepared to detect it?
  • Is it prepared to stop it?
  • Can it mitigate the effects and get back to normal operations as quickly as possible?

“The board’s responsibility is to make sure that the executive team has a plan, is prepared and is preparing the whole organization for the eventuality of an attack. The question is not whether the attack is going to happen and how to prevent it,” said Richter.

Educating board members on cybersecurity issues

However, many board members do not have an IT background or experience with cybersecurity. The survey found that less than 9% of an average board has technical expertise. Additionally, half of the companies surveyed have no technical expertise on the board at all, which is especially concerning. Organizations must proactively educate board members so that they can make smart cybersecurity decisions.

  • Explain that cybersecurity means more than data protection. In the Harvard Business Review article 7 Pressing Cybersecurity Questions Boards Need to Ask, authors Dr. Keri Pearlson and Nelson Novaes Neto wrote that many board members think cybersecurity is still about protecting data, which was true many years ago. However, now that digital processes and tools control so much of a business’s operations, a cybersecurity attack can be devastating. For example, a cybersecurity attack can halt the digitally managed supply chain or cause issues with remotely controlled large equipment. By understanding the true impact that an attack has on an organization today, the board has the background to make the most effective decisions — especially in terms of funding.
  • Educate the board on the risks of reputation damage and business disruption. Many board members view the cost of cybersecurity only as fines charged for privacy violations. To help your board understand the importance and impact, talk about how cybersecurity can shut down operations for days or longer, which results in a significant loss of revenue. Additionally, a highly publicized attack leads to permanent reputation damage. This can cause many customers to stop doing business with a company. Share examples from high-profile breaches, especially those in your industry or affecting similar companies.
  • Provide information on how zero trust reduces the costs of a breach. Your board does not need to understand the ins and outs of zero trust. However, you should share how investing in this framework can significantly lower financial risks. According to the IBM Cost of a Breach Report 2022, organizations that do not use zero trust incur an average of $1 million more in breach costs compared to those that do deploy it.

A focus on zero trust

For a nontechnical board of directors, start by explaining that zero trust is not a single technology or process. Instead, it’s a framework of different approaches that you can build on over time. Previously organizations had a physical perimeter with on-premises servers and an office building. However, the increase in remote work has radically shifted that approach. Organizations must now focus on ensuring that every user, device and app has the proper authorizations. With zero trust, you assume that every access request is unauthorized and then prove that it is, in fact, legitimate: thus the name “zero trust.”

  • Keep the board up to date on new cybersecurity disclosure acts. New legislation and policies will drive your organization’s cybersecurity policy. For example, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 was passed into law last year. The Cybersecurity and Infrastructure Security Agency (CISA) is currently developing and implementing regulations about reporting covered cyber incidents and ransomware payments to CISA. Other regional and industry-specific regulations are also in progress, which can impact the need for cybersecurity investment.
  • Bring in experts. Not everyone on your board needs to be a cybersecurity expert. However, the board needs access to security expertise to help guide its decisions. The Diligent report found that 59% of companies are now bringing in consultants or external experts to educate the board, while legal teams brief 48% of boards. Additionally, 47% of boards set up formal director education programs specifically for cybersecurity issues.

Education makes your board stronger

Your board of directors is the cornerstone of your organization. If the directors are not knowledgeable about one of the biggest issues affecting companies today, they cannot make the smartest business decisions. By proactively educating your board of directors about cybersecurity issues, you can help your board build the foundation your company needs to keep itself as safe from cyber threats as possible.

More from Risk Management

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

How I got started: Ransomware negotiator

4 min read - Specialized roles in cybersecurity are proliferating, which isn’t surprising given the evolving threat landscape and the devastating impact of ransomware on many businesses.Among these roles, ransomware negotiators are becoming more and more crucial. These negotiators operate on the front lines of cyber defense, engaging directly with cyber criminals to mitigate the impact of ransomware attacks on organizations.Ransomware negotiators possess a unique blend of technical expertise, psychological insight and negotiation skills that allow them to navigate the high-stakes environment of ransomware…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today