Cybersecurity: How the Board Should Address Evolving Threats
The importance of cybersecurity has never been greater, especially following the substantial breaches which headlined during the COVID-19 pandemic. These security concerns, increasing in complexity, are pushing boards to get up to speed with constantly evolving cyber risks and to address cybersecurity governance challenges with vigor.
What is cybersecurity?
As cyber risk emerged with the rise of the Internet and new technologies, cybersecurity was developed to protect companies’ data. According to the National Institute of Standards and Technology, cybersecurity risk “relates to the loss of confidentiality, integrity, or availability of information, data, or information (or control) systems”. Any threat to sensitive data can profoundly affect operations and the organization as a whole.
Hence, the treatment of companies’ data and information has become more and more sensitive as global connectivity expanded, resulting in increased risks for companies.
Cyber risks are not only confined to identified competitors, which could use leaked information for their own benefit. More importantly, these risks relate to local and international laws, customer and employee privacy issues, and even unlawful third parties looking for ransom. As a result, cybersecurity has become critical for the safety of companies at all levels.
The current challenges of cybersecurity
As cyber risk developed, tech employees started to report issues and undertake measures not fully understood by non-tech specialists. Initially, cybersecurity matters weren’t even brought to the board. Some board members grew more and more concerned with cyber risks but continued entrusting the tech officer with full responsibility for cybersecurity.
This is one of the current cybersecurity challenges for the board: How to build an excellent cybersecurity policy and stay on top of the matter without being a tech expert?
Other challenges are linked to the very nature of cyber risk. Technology is constantly and rapidly evolving, and so are cyber threats. Data breach risks have never been higher with the massive digitalization of data, AI tools, automation, and the boom of connected devices. Local and international regulations are fragmented, to say the least, resulting in extra costs and more significant risks for companies.
The COVID-19 pandemic highlighted some of these risks, with some companies suddenly realizing remote work and undertrained employees might turn into entry points for cyber-attacks, including ransomware. In addition, companies often have to rely on third parties to store and process their data and even to ensure cybersecurity.
Who is responsible for managing cyber risk?
Cyber risks can no longer be ignored at the company’s highest level. Just like any other corporate matter, cybersecurity must be integrated into a responsibility and management chain. This means board members should be as involved in cybersecurity as tech officers. They just won’t be acting on the same issues.
The best options will be different from one company to another. Typically, an IT officer or a chief information security officer (CISO) takes care of cybersecurity from a technological and operational point of view. A CISO typically works alongside the IT team on all matters linked to data security. In general, the CISO brings a proactive attitude to cybersecurity, not just dealing with the consequences of security breaches. However, the CISO cannot be solely responsible for creating cybersecurity policies or for taking extreme preventive measures.
Directors have to step in. Depending on the company and how the board was designed, some companies might need to create a special committee to overlook cybersecurity risks and responsibilities. Other boards might only need coordination between the CISO and the cybersecurity specialist director. In any case, boards must become increasingly involved in cybersecurity strategies in order for companies to protect themselves from threats.
Apart from high-level strategies and big decisions, it is crucial to understand that everyone interacting with the company is de facto involved in cybersecurity. Employees in all departments, independent contractors, clients, users, etc., every party represents a potential weakness for the company. A security model must include the organization on all levels.
Cybersecurity governance: A new challenge for the board
Despite the increasing need for directors to be involved in cybersecurity, this field is often out of their expertise. In addition, new technologies are constantly evolving and being introduced, making it difficult for board members to get in line with their understanding.
To help mitigate this problem, the CISO or cybersecurity consultants can prove helpful. Before deciding on the best strategy for the company regarding cybersecurity, board members need to build a stronger relationship with their CISO.
Training, information, and reporting to the board are vital to tackling cybersecurity challenges.
Overseeing cybersecurity with committees
In some cases, the right choice might be tackling cybersecurity challenges through committees. This can be done by delegating cyber risk governance to the audit committee. On the one hand, the committee is usually already in place, members are used to working together through the audit field, and meetings might be already integrated into the director’s work calendar. On the other hand, members of the audit committee are not necessarily cybersecurity governance experts. In addition, the audit committee’s workload can be substantial, and there is a risk that cybersecurity might get overlooked.
Some companies are choosing other existing committees: governance committees, risk committees, and even technology subcommittees. Pros and cons with using these committees are likely to be similar to using the audit committee. However, depending on which members are involved in these committees, it might be the best choice.
Another solution is to set up a special committee to take care of cybersecurity governance: the cybersecurity committee. This solution is usually for larger companies, especially companies directly involved in tech and AI. It might be necessary to bring in new members and reshuffle nominations to implement the cybersecurity committee. Yet, if the size and product of the company require it, a special committee means choosing a long-term and proactive approach.