Cyberattacks are the terrorism of today, hitting societies, commercial companies and even individual citizens with data theft, money theft, ransomware, disruption of operations, public shaming, and loss of trust. The list of potential damage is long, and perpetrators are hiding in the dark web in jurisdictions outside of our control. The question is not whether you will be breached, but when or if it already happened without your knowledge. When a company’s digital assets are compromised, what would have cost one dollar of prevention will cost up to a thousand dollars of damage control.
Company boards hold the ultimate responsibility for the governance of the business. Cybersecurity (or information security) falls under risk management as a mandate of the Board of Directors. If you are serving on a board, you must develop and maintain an understanding of cybersecurity so that you can help to ensure proper governance of cyber risk at all times. Anything else amounts to negligence.
There are several significant challenges with managing cyber risk. If you don’t go into the technical details, your cybersecurity program may not work properly. If you do, it will take all your time and a high level of technical education. And even then, the threat landscape is changing. What worked yesterday may not work today.
To make sense of cybersecurity, we need principles and mental models that can help us govern the details and synthesize conclusions.
Four Cybersecurity Principles Boards Should Act on Today
Start by seeing cybersecurity as probabilistic risk management. There is no 100% security and no absolute defense against cybercrime. Rather, there are only probabilities. The good news is you can affect the probabilities. Good cyber hygiene will reduce the risk. As a board member, you can ask the chief information security officer (CISO) whether the organization is at a higher or lower risk of cyber breach than last time. It is the CISO’s job to know.
The second principle is to see cybersecurity as a matter of people and processes more than technology and products. Cybersecurity products are certainly needed. But it is not the firewalls or the encryption that makes you safer. It is the way people make use of them. Cybersecurity cannot rise to a high level of excellence without everyone in the organization seeing it as a vital (yet small) aspect of their work. Ask management how they train employees in cybersecurity and what cyber risk-reducing processes are in place.
The third principle relates to time. Set long-term goals for cybersecurity improvements yet build readiness to act quickly when something worrisome happens. Let improvements take time but don’t let necessary reactions take time. Let us discuss why. If you set short-term goals for cybersecurity, you will always play defense. You will put out small fires instead of preventatively building resilience against the significant risks. A myopic security strategy is not useful. That’s why you need a longer-term horizon for your cybersecurity programs. The best way to prevent war is to prepare for it.
But when you detect a threat or your organization records a serious incident, act immediately. If your systems are under a potential attack, hours and even minutes matter. So, build readiness for lightning-fast action in threatening situations. Quick reactions can help prevent a breach and will lower the cost of a fallout tremendously.
The fourth principle is to see the opportunities in cybersecurity. It is true that cybersecurity is about risk management, and it comes with a price tag. Cybersecurity means risk and cost. But correctly done, your cybersecurity posture can become a business catalyst. When you demonstrate your cybersecurity seriousness, you will be able to recruit some of the best talent. And in your dealings with partners and suppliers, a robust cybersecurity program gives you confidence and influence to build the best possible business relationships.
Using these four principles, any board member can play a useful role in managing the cyber governance of a company.
Questions Board Members Should Ask Their Organization’s Management
A board member’s cyber work starts with questions that you present to the management of the company:
- How bad can it get in case of a cyberattack? What are the various risks and scenarios?
- How likely are such threats to materialize?
- What are our mitigation strategies for the harmful scenarios?
- How are we equipping our employees to deal with cybersecurity topics in their everyday work?
- What longer-term initiatives are we running to strengthen our cybersecurity posture?
- How much should we budget for cybersecurity as a percentage of overall costs or overall IT costs?
- How will we keep track of risks and measure progress in reducing cyber risk?
The text above provides a mental model allowing any board member to be more effective in cybersecurity matters. The full picture is, of course, much more detailed and nuanced, but these principles are fundamental from which to work.
For boards of directors, incorporating cybersecurity into your overall mandate is imperative. This is more true today than ever, and the need continues to grow. We recommend all boards gain an understanding of and priority for cybersecurity as part of their governance responsibility.