Cybersecurity for the Board of Directors
According to Gartner, by 2025 40% of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member. This is testament to the impact of cybersecurity risk on the continued digitalisation of the global economy.
Cyber-attacks have increased significantly in recent years bringing vital conversations about cybersecurity into the boardroom. As board oversight of cybersecurity has increased, board members – even those without technical expertise – have had to become rapidly acquainted with IT risk and security concepts. In the past few years, frameworks and best practices have emerged to help these business leaders get a grip on their company’s cybersecurity posture.
The cybersecurity landscape is vast and understanding where you have gaps is vital. Below are some domains covering cybersecurity:
- Data security.
- Security operations and incident response.
- Identity and access management.
- Network and infrastructure security.
- Messaging security.
- Endpoint security.
- Cloud security.
- Risk and compliance.
These domains contain tools provided by various vendors. Your organisation does not have to acquire all the tools to be sufficiently covered against cybersecurity incidents. What is needed is for you to ensure you have adequate protection in place for what is important to your organisation.
While there are many lists of what boards of directors need to ask about cybersecurity, the more important thing might be what they’re not asking. Businesses have unique risk profiles. However, where board members rely too heavily on predetermined frameworks and cybersecurity assessment checklists, they risk passing over the most urgent issues.
What are some of the common cybersecurity issues that C-suite executives often miss? To answer that I will have to draw on industry jargon – bike-shedding.
The dangers of bike-shedding
When there is incongruity between the extent of the board’s cybersecurity knowledge and the level of decision-making authority they hold, that’s a recipe for bike-shedding. The term originates from the story of a committee that approved flawed plans for a nuclear power plant because they wasted time discussing details about the plant’s bike shed.
This happens in board rooms when executive teams spend an unnecessary amount of time on trivia, neglecting the bigger picture, usually because the most important issues are so complex that teams focus instead on simpler, more solvable problems.
According to Gartner, when faced with a range of obstacles, from slowing budget growth to dissatisfied boards, business and security leaders are being challenged to change the way they approach cybersecurity and risk.
For decades an imaginary line has separated cybersecurity from ‘the business’ with most board members being not well versed in the topic nor even with a basic understanding of the impact it can have on their businesses. This has been compounded by many security leaders approaching the subject as a purely technical challenge dictated by technology and compliance constraints.
However, after years of near-limitless budgets and unsatisfactory results, the time has come for both security and business leaders to recognise that they have been asking the wrong questions and taking the wrong approach.
According to Gartner, security experts must connect cybersecurity to business outcomes. They go on to note that CIOs and CISOs must engage executive decision makers to change how cybersecurity is treated in organisations and drive security investments that directly impact business outcomes. Gartner confirms that while cybersecurity has been on board agendas for at least a decade, the pandemic has put a spotlight on the disconnect between executive understanding of cybersecurity and business’ actual capabilities.
Senior executives and stakeholders are always a target because of their influence on the organisation and access to valuable information. A cyber-attack can affect your entire organisation, making it the entire board’s responsibility, not just the role of the CIO/CISO.
In terms of raising the right issues, board members should have a stance on the company’s policy/response in the event of a ransomware attack. For example, will you pay ransom if that’s the only way to resume business operations? Will you have the capacity to engage in negotiations that will ensure the safe return of your data? Although the act of paying the ransom is not illegal in South Africa, have you considered going the route could be seen as sponsoring cyber terrorism? This will no doubt expose the organisation to a new host of risks.
What the board needs to know
One report notes that the role of a board of directors is to provide strategic oversight for a business and to hold management accountable for performance. Management is responsible for execution, including identifying, prioritising and managing cyber risks. It goes on to state that, while the specific information a board requires may vary – depending upon the organisation’s industry, regulatory requirements, operating activities, geographic footprint and risk profile etc., all boards look to management to translate technical, tactical details about cybersecurity into business terms, risks, opportunities and strategic implications.
This report further notes that board members are asking CISOs the following questions about cybersecurity:
- What is our cyber-risk appetite?
- What are the most important metrics we use to monitor and evaluate risk to the company?
- What is the business case for cybersecurity?
- How can cybersecurity enable other business functions across the enterprise?
- What are the levels of insider and outsider risk?
- How do we measure the effectiveness of our organisation’s cybersecurity programme and how it compares to those of other companies? For example, how do we track cybersecurity awareness across the organisation through indicators such as policy compliance, implementation and completion of training programmes?
- How do we assess the cyber-risk position of our suppliers, vendors, joint venture partners and customers?
The NACD’s Directors Handbook on Cybersecurity recommends keeping the following guiding principles in mind when preparing board-level reports:
- Ensure the data is relevant to the organisation’s business context and can be understood by the audience.
- Be concise: avoid providing too much information and eliminate technical jargon.
- Less is more: minimise text and include graphics and visuals to convey your key points.
- Communicate insights about what the data means, not just information. Metrics should include analysis of changes, trends and patterns over time, show relative performance and indicate impact.
- Above all, board-level reports should enable strategic discussion and dialogue between directors and senior management..
These are excellent guidelines for board-level reporting. NACD goes on to confirm that cybersecurity is now a major strategic and enterprise risk matter that affects how companies operate, innovate and create value. Several characteristics combine to make the nature of the threat especially formidable due to its complexity and speed of evolution, the potential for significant financial, competitive and reputational damage and the fact that total protection is an unrealistic objective.
This last point is a sobering, but factual statement that should be enough to get every board member’s seat into the upright position and focused on the business value of implementing strong cybersecurity measures.