With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are – serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not.
According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a huge disconnect between cybersecurity reality and Board of Director awareness. And in the case of a cyber crisis, your organization’s Board may be critical in making those key decisions that customers/clients, the public and now regulatory bodies further require.
The value of engaging the Board of Directors
As evidenced by the Cost of a Data Breach Report 2023, cyberattack and data breach costs are increasing year over year. In 2023, the cost of a data breach has increased by 15.3% since 2020. The attack surface of many organizations is also increasing with digital transformation efforts.
With recovery costs skyrocketing and more technology to secure, boards need to be involved in key decisions and they should be aware of what kinds of protections are in place. Boards of Directors are responsible for ensuring an organization stays profitable and accountable to its stakeholders. An ill-informed board may be frustrated and left with the feeling of being unprepared in the case of a cyber crisis. It is better to inform them of security-related efforts sooner rather than later.
For several years, the U.S. Securities and Exchange Commission (SEC) has been flirting with the idea of implementing cybersecurity requirements that fall upon the Board of Directors for compliance and ownership. The most recent proposed rule requires public companies to disclose if board members have appropriate cybersecurity expertise and adequate awareness to respond to a cyber crisis within their organization. This requirement represents a growing desire for organizations to take more ownership of data security and enlists additional attack consequences of cyber crisis activities upon the Board of Directors and those who are responsible for informing and arming them with critical crisis response capabilities.
How cybersecurity leadership can foster a strong relationship with the Board of Directors
Engaging the board of directors may seem like a difficult task, but there are steps an organization can take to ensure that the Board of Directors is aligned with cybersecurity goals and objectives.
Step 1: Educate your Board
- Be sure to provide an overview of the latest regulations impacting your organization and the locations it operates in. Those not in security roles may not know the intricacies of breach notification timelines or the thresholds for disclosure.
- Ensure the board knows how security teams operate within your organization. Make sure they have awareness of the different vendors that are used to augment a response. In addition, familiarizing your board members with response plans, even at a high level, can further elevate the connection between cybersecurity leadership and board members.
Step 2: Develop a common vernacular with board members
- Establish a common security language with your board. This means ensuring everyone knows what acronyms stand for (ahem, CSIRP, CSERT and the like – they’ve become second nature to security professionals but not everyone else). Also, determine a baseline understanding of general security terms and threats. It is better to have a common definition within your organization.
- Define what a crisis is—and isn’t. By establishing a Cyber Crisis Management Plan, your organization will have baseline qualification criteria and definitions. We’ve seen it many times before, when teams don’t agree on these before a crisis, it causes a plethora of issues.
Step 3: Enlist support
- Enlist both internal and external resources to support your cybersecurity initiatives. Mobilize your organization’s C-Suite to foster a deep security culture across the organization.
- Providing a quality threat intelligence briefing to your Board of Directors can provide awareness and perspective that is tailored to the strategic goals board members care about. IBM X-Force Threat Intelligence is poised to provide this tailored threat intelligence to your Board of Directors. X-Force has a wealth of knowledge that can help your organization’s Board prepare and understand.
- Find support within the Board itself – some people, including board members, are security nerds at heart. Engage those individuals more and they’ll be your champions. Help them learn more. You may even have a cybersecurity expert on the board already.
Step 4: Communicate with the Board effectively
- Provide the board with monthly or quarterly high-level security updates highlighting key efforts including product implementation, tabletop or simulation findings and any other important security activities.
- Be sure to keep conversations non-technical and provide key metrics. These stakeholders don’t need all the nitty gritty details, but it is helpful for them to know roles, timelines and when they need to be involved. Remember that a security response is a whole-of-business job and the Board is a part of that.
- Keep the line of communication open and involve the Board in any security newsletters or internal awareness campaigns.
Step 5: Practice
- If your board of directors wants a more hands-on and immersive scenario, the IBM X-Force Cyber Range has Business Response Challenges geared toward this audience. The team engages board members in conversations around regulations, business impact and health and safety. These experiences give board members the opportunity to respond to a cyberattack in a safe environment.
Engaging and communicating with your board of directors doesn’t have to be a daunting task. Take the time to understand members’ concerns and bring them meaningful updates, threat intelligence and metrics. The hardest part is opening the line of conversation and determining what each party needs. Once the relationship is developed, security teams and the Board will be able to converse more easily and effectively, and your organization will be better poised to protect itself.