Four essential questions for board members to proactively address cybersecurity
Over the past twenty years, businesses across all sectors have undergone radical digital transformation. As a result, data has emerged as a critically important asset for almost every organisation. With cybercrime expected to cost the world $8 trillion this year and $10.5 trillion by 2025, the value of data for businesses simply cannot be understated.
Unfortunately, despite the high stakes, too many board members still do not take a proactive interest in their companies’ cybersecurity strategies.
This is perhaps not surprising. Board members frequently lack the technical knowledge or the confidence to engage in detailed security matters, and so often find themselves treating the essential business of protecting and securing digital assets and systems as a matter for the Chief Information Officer (CIO) and Chief Information Security Officer (CISO).
However, if a company’s board of directors is to perform its traditional role as guardians of a business’ operations, it simply must have a working knowledge of how one of its most essential assets—data—is created, captured and protected.
This does not require developing in-depth technical knowledge or skills. Board members can start taking a proactive approach to cybersecurity simply by asking these four fundamental questions–and then, assessing the strength of the answers in an effort to identify risk.
Question 1: Are we acting before we’re reacting?
Despite the best efforts of companies and its leadership to invest in top-of-the-line cybersecurity solutions and build highly proficient security teams, successful attacks can (and will) still occur. During a cybersecurity incident, there is no time to devise and organise a plan. It is therefore good security practice to prepare in advance so that teams know how to respond quickly and effectively in a crisis.
It is essential, both as good practice and for regulatory compliance, that the organisation has established a framework that ensures the team understands the expectations in response to an incident. This would include understanding what data and assets need to be protected, what qualifies as a material incident, and the processes of informing the board of directors’ and appropriate regulators. Good leaders must also understand the professional and emotional impact of cyberattacks on the wider team and having clear guidelines set down offers reassurance in moments of crisis.
Establishing this framework will avoid divergence between business objectives, regulatory compliance and the cybersecurity team’s understanding of these expectations, reducing the risk of miscommunication that results in repercussions on the business. The board must proactively ensure there is a robust and up-to-date framework in place and, if not, they must push the business to rectify this as a matter of urgency.
Question 2: Is cybersecurity investment considered a business investment?
As businesses embrace new technologies, it is easy to focus on the new markets opened up whether that is online sales, international supply chains or additional market segments. In this traditional model, security is often an afterthought, achieved through a pick-n-mix of tools that often result in poor performance, impracticality at scale, and at great expense.
However, regardless of the direction in which businesses seek to expand, a robust security function plays a crucial role in protecting and preserving the organisation’s valuable data. Cybersecurity must therefore be viewed as a business enabler rather than a cost-centre function.
Detractors may argue that cybersecurity is a drain on budgets. However, in reality, high-performing cybersecurity programs address critical business problems or risks, such as protecting corporate IP, securing customer data and enabling a secure remote workforce.
A high-performing security function is therefore critical to enabling businesses to deliver products and services safely and quickly and create a competitive edge because cyber risks are being actively and effectively managed.
A boardroom that takes a proactive approach to cybersecurity will view security investments as strategic business investments that are necessary to safeguard a company’s digital and physical assets and critical processes. After all, with the reassurance that company data and digital infrastructure is secure, the board can be bolder and more entrepreneurial in decision-making.
Question 3: Have we embedded cybersecurity across the business?
Business leaders must take a holistic approach to integrate cybersecurity principles and awareness into every level of the organisation. While security teams are ultimately responsible for cybersecurity operations, everyone in the organisation must be proactive in preventing cyber attacks.
The board must therefore ensure the business has a robust cybersecurity framework in place and is conducting regular vulnerability assessments to identify potential weaknesses in their systems and networks. Cybersecurity awareness training should be rolled out for all employees—including management—on a regular basis to ensure that employees understand the latest threats and how to respond to them.
Question 4: Do we have the right leaders driving cybersecurity efforts?
All too often, discussions concerning cybersecurity begin and end with technology, threats, attacks, and incidents, overlooking the significance of the leader’s role.
More than ever before, the boards of directors must consider many factors when appointing cybersecurity leaders. What kind of leader should they rely on to provide thoughtful, informed, and informative updates on cybersecurity? Are they credible and reliable? Do they have the right skills and competencies to provide board members with the information necessary to execute their duty of care?
It is also important to recognise that addressing cyber risks is no longer just the remit of the cybersecurity team–it has become the responsibility of everyone across an organisation. Therefore, businesses should ensure they are selecting capable leaders who can support the cybersecurity function across the entire organisation.
Take an active interest - and start right now
If data is now a critical commodity for your business – and it almost certainly is – then cybersecurity must be treated as a critical issue by your board. Board members must view cybersecurity, not as a siloed division that only technical experts can engage with, but as a critical business function that needs to be proactively managed in line with wider business objectives.
The good news is that, although technology advances at a rapid rate, the bedrock principles of security evolve at a comparatively slower pace. By acquiring fluency in the language of cybersecurity, and asking the right questions at the right time, board members and business leaders will be able to make sure their organisations are better equipped to anticipate, plan for, and respond to the challenges posed by today’s increasingly complex security landscape.
Shamla adds global business experience, deep technical skills and legal expertise to her current roles. In leadership roles at high-profile companies, and on boards of public and private companies, she has built a track record of helping companies to create value while aggressively managing risk. Her experience teaching and practicing law uniquely qualify her to assess risks and identify steps businesses should take to operate within the bounds of new and complex laws regulating technology and data privacy.
She has a deep understanding of risk management through her work in finance, legal, technology, healthcare and energy. An experienced governance professional with audit committee experience, she can identify and evaluate business risks, and advise what activities and investments will be most productive. Her experience in strategic investments, mergers and acquisitions also contribute to her board oversight activities, as does her extensive experience in human and financial capital management.