T

• his article is written for senior business leaders and as such does not contain technical jargon. It is written with the intention to communicate simply and clearly what every board member and company director needs to know and what questions they should ask to get a better perspective of the cybersecurity risks to their organizations. Any technical aspects that will be discussed will be to give context to the considerable impact board members have on cybersecurity. Too often cyber folks quickly lose the attention of their company leadership with tech speak; therefore, I have concentrated this article on communicating business risk.t be a one off activity, but should adapt to changes in the business, threat landscape, market positioning etc.

What is cybersecurity & why is it important?

Whether you are a new board member or have spent many years on a board, it is crucial that you have a clear idea of what cybersecurity is and the risks it poses to your organization. According to a recent National Association of Corporate Directors (NACD) survey, sixty-one percent of directors report that they would be willing to compromise on cybersecurity to achieve business objectives, while twenty-eight percent prioritize cybersecurity above all else. These are radically opposite views, so naturally the next question is, which group is right?

The difference in responses has to do with how executives view cybersecurity, some perceive it as a business enabler while others see it as an Information Technology (IT) or compliance issue. And others see cybersecurity as something to do with IT and technology and fail to appreciate the integral role cybersecurity plays in ensuring business operations run smoothly. To fully understand cybersecurity risks, we must first define cybersecurity: cybersecurity simply refers to the tools, techniques, and procedures a business uses to protect its data (proprietary, customer, patents etc.), devices (computers, servers, networks, laptops, phones etc.), systems (HR systems, accounting software, manufacturing processes, customized computer systems etc.) and other services. With this definition in mind, it is easy to see the vital role cybersecurity plays in ensuring businesses operate smoothly and successfully.

For organizations to manage cyber risks effectively there needs to be a paradigm shift in the way senior leaders see cybersecurity. Business leaders must understand that cybersecurity goes beyond compliance and IT and is a key component of business strategy in our increasingly digital world. Simply stated: not having an adequate cybersecurity strategy that accounts for a business’s unique risks and ensures the necessary steps are taken to protect the business from bad actors is bad business and can threaten a business’s survival.

Ultimately, company directors have a responsibility to act as advisors, question-askers, problem-solvers, and decision makers in things such as a business’s cybersecurity strategy. As such it is a director’s job to understand at a high level cybersecurity risks.

Ways cyberattacks can impact businesses.

According to the IBM report “How much does a data breach cost in 2022?”, the data breach average cost increased 2.6% from $4.24M in 2021 to $4.35M in 2022. With breach costs trending higher year over year, cyber attackers are getting more organized, investing in R&D, improving their attack mechanisms, and attaining greater levels of sophistication. Businesses in turn must double down on their efforts to address cyber risk at the leadership level as they pursue digital transformation. And to quote Desiderius Erasmus, “prevention is better than cure”.

What is the role of board members regarding cybersecurity?

The role of board members in preventing cyber attacks is splendidly explained in the principles for board governance of cyber risk, which is the result of collaboration between the World Economic Forum, National Association of Corporate Directors (NACD), Internet Security Alliance ( ISA) and a working group of industry professionals, supported by project adviser PwC.

In summary, to achieve a cyber-resilient organization that drives strategic business goals, the board must:

• Understand cybersecurity as a strategic business enabler
• Understand the economic drivers and impact of cyber risk
• Align cyber-risk management with business needs
• Ensure organizational design supports cybersecurity
• Incorporate cybersecurity expertise into board governance
• Encourage systemic resilience and collaboration

The following section will explore board actions that enforce these principles.

How can board members lead the way in cybersecurity?

Contrary to what most may think, board members have a crucial role in leading cybersecurity in the organization. The following are ways a board member can contribute:

Include cybersecurity on the board meeting agenda:

According to the NACD, sixty-six percent of companies scheduled cyber risk at least once on their board agenda during the last year. As a new board member, you can differentiate yourself by being a champion of cybersecurity and ensuring it is and stays a discussion topic at every meeting.Understand the consequences of a cyber breach and plan accordingly

Understand the consequences of a cyber breach and plan accordingly

Boards must understand that good luck is not a strategy when it comes to cybersecurity and their organizations must plan for an eventual cyber breach. To this end, it is the board’s responsibility to ensure that the organization has a robust cybersecurity Incident Response Plan (IRP) that has a well thought out, tabletop exercises performed by in independent unbiased external party and rehearsed business continuity process that is known by all relevant parties in the organization. This plan will mitigate the financial impact of an attack and ensure the business is able to continue to serve its stakeholders effectively and with minimal downtime.

Ensure that the cybersecurity program aligns with strategic business objectives.

This point relates to our earlier emphasis of cybersecurity being a business problem, not a technical problem. In this regard, board members must have a high-level understanding of the businesses cybersecurity strategy to ensure that it addresses key business risk areas such as compliance (e.g. Payment Card Industry Data Security Standards – PCI-DSS), reporting requirements (e.g., SEC reporting), data assurance, liability, governance, availability etc. Furthermore, it is vital that the board foster cybersecurity as part of its corporate culture, starting at the highest levels with mandatory executive industry specific cybersecurity education and threat briefings.

Address the fact that board members lack a cybersecurity background

According to NACD data, board refreshments in the past year continue to neglect members with skills in cybersecurity (less than 2%) in favor of members with experience in executive leadership (60%) and finance (40%). It is time for new and existing board members to prioritize having a cybersecurity expert in their ranks and ensure the right cybersecurity leaders exist in their organization. Having highly qualified cybersecurity leaders with strong technical and business backgrounds as well as the ability to quickly build relationships with senior business leaders is invaluable for companies to make the connection between business risk and cybersecurity risk in the organization.

Understand that cybersecurity and compliance go hand in hand

It is crucial for board members to understand that governments are increasingly getting involved in cybersecurity and organizations must make it an integral part of the business’s compliance strategy. In industries like healthcare, government, and finance strict privacy and data protection standards such as the HIPAA, the Homeland Security Act, NIST 800-53, ISO 27001, GDPR etc. have existed for a while. And as reported in Stuart Madnick’ HBR article governments feel the need to do something, and we can look forward to a suite of new regulations and enforcement activities.

Understand the roles of the board in the event of an incident

The board must understand what is expected of them in the event of a cyber attack. To fully grasp this it is important to perform tabletop exercises regularly to educate and prepare board members for their responsibilities and roles during a cyber incident.

Assess whether business Critical and High-Value Assets (HVA) are adequately protected against cyberattacks

Asking the right questions and ensuring the organization’s most critical and high value assets are protected at a level commensurate with their criticality. This sometimes involves engaging the services of an external party who reports directly to the board to provide an independent assessment in the spirit of trust but verify.

Consider whether the spending allocated to cybersecurity is adequate

Is your organization spending enough on cybersecurity considering its size and industry? This can be done by looking at the value of the organization’s critical assets, cost to replace/recover from a disaster and benchmarking that against what other firms of similar size and sophistication are doing. The end goal is to achieve the right balance between spending and level of security that is consistent with the business’s risk appetite.

Understanding cyber risk exposure from vendors/third parties

Understanding your organizations exposure to cyber risk from suppliers, vendors, and business partners. Asking if it is time to audit all third parties to understand what sensitive information is shared, review their contracts to ensure cybersecurity requirements are baked in (especially with legacy vendors) and what level of access these third parties have to your data warehouses?

Final thoughts

New board members have a unique opportunity to champion cybersecurity and use their lack of board tenure to ask the right questions about cybersecurity early on. As cybersecurity continues to gain prominence at all levels of business, it is imperative that boards stay engaged and understand the risks lack of adequate cybersecurity poses to their business operations and the unique role only the board can play in making sure their organization has the right cyber governance and strategy in place.