Boards of Directors are ultimately liable and responsible for the survival of their organizations, and in today’s interconnected world, cyber resilience is big part of that responsibility, despite the fact that most boards are unprepared for this role.
Cyber threats are increasing day by day and getting more complex and constantly evolving. There’s no way to be 100% protected. That’s why cybersecurity is no longer just the responsibility of Information security departments. Boards of Directors are ultimately liable and responsible for the survival of their organizations, and in today’s interconnected world, cyber resilience is big part of that responsibility. That means that Boards must take an active role in cybersecurity.
[quote font=”tahoma” font_size=”13″ font_style=”italic” color=”#262626″ bgcolor=”#f2f2f2″ bcolor=”#5f9dc0″]
“CISOs should explain to the board that information security is everyone’s job and that anyone can bring potential security issues to the information security team.”
Ravinder Arora
Head – Information Security
IRIS Software
[/quote]
According to the survey, about two-thirds of directors are not confident about their company’s cybersecurity. There is a growing sense of exasperation, as if we are living in an age of a great plague, with bodies piling up in the streets.
If you are a company director, you need to know that your company is under attack. It’s not your fault but it is a problem you must deal with. Cyber security is not a technical problem that should be left to IT to deal with, it’s a business issue and you must be able to demonstrate due care.
Many of the hacks against organizations are possible only because of sloppy maintenance practices of people and organizations that have been tolerated as there are always more -urgent – but not necessarily more-important – things to do.
Corporate boards of directors are expected to ensure cybersecurity, despite the fact that most boards are unprepared for this role. A 2017-2018 survey by the National Association of Corporate Directors (NACD) found that 58% of corporate board member respondents at public companies believe that cyber-related risk is the most challenging risk they are expected to oversee. The ability of companies to manage this risk has far-reaching implications for stock prices, company reputations, and the professional reputations of directors themselves
The view that directors are not sufficiently prepared to deal with cybersecurity risk has raised alarm bells in boardrooms nationwide and globally. Even as companies increase their investments in security, we are seeing more — and more serious — cyberattacks. If corporate boards are not sufficiently prepared to deal with cybersecurity, how will they be able to determine the effectiveness of current and proposed cybersecurity strategies? How can they know what operationally effective cybersecurity should look like and how it should evolve? And how can directors know what to ask so that they can make the right cybersecurity investment decisions
A CISO is involved with the day-to-day dealings of risk, threat and breach prevention — to put it simply, it is their job to keep the bad guys away from precious company data. Moreover, it is a CISO’s core responsibility to keep on top of the latest policies and regulations, as well as keeping a hawkish eye over trends in user behavior. The complexity of the issues CISOs deal with on an ongoing basis can often leave them isolated, and removed from vital aspects of corporate governance.
The divide between boards and CISOs that has been raised by the Club CISO report, has been around since the inception of the role. In order to strive forward and reduce organizational risk, companies will need to identify why this divide exists, and more importantly how to rectify the issue.
CISOs should explain to the board that information security is everyone’s job and that anyone can bring potential security issues to the information security team. Protecting an organization includes the obvious initiatives (like keeping increasingly sophisticated adversaries at bay) as well as the less obvious ones (like getting product teams to consider the benefits of forcing users to change the default password on an Internet-connected device). This mindset shows that a CISO has a more expansive view of the risks facing an organization and is thinking holistically about risk.
Conclusion: Without question, boards should ensure that cybersecurity is appropriately addressed and sufficiently resourced. However, as important as the cyber imperative is, directors should not allow it to stifle innovation. Over the past decade, IT departments have been reducing operations and maintenance costs consistently, funneling most savings to fund other priorities like security. Board should ensure that Information security gets required budget and resources.