Cyber security risk can be levied at the entire company but ultimately it is the board of directors who bear the greatest responsibility. Board of Directors are under increasing spotlight for their input in how this critical business issue is prioritised, especially in the face of the mounting cost of cyber- attacks. After all, according to a 2018 report from the Centre for Strategic and International Studies (CSIS), nearly 1% of global GDP or $600 billion is lost to cybercrime each year. So, how can boards better strengthen their cyber security posture?
ESSENTIAL CYBER SECURITY CONSIDERATIONS FOR THE BOARD OF DIRECTORSIn order to strengthen your board’s cyber security posture, certain considerations should be taken into account. It is mission critical to reiterate to your board just why it is so important to assess essential cyber security criteria and why a cyber security skills shortage among the board can spell grave trouble. Here are 5 key elements to consider to fine tune cyber security posture:
GOVERNANCEA key take away from the EY Cybersecurity Board Summit held last year was that the board’s role is not cyber security risk management but ‘cyber security risk oversight’. Boards need to consciously define their approach to overseeing cyber security risk. They also need to link together the management, business unit leaders as well as IT and security leaders to better govern this risk. Security can be perceived as a huge grey area for many boards of directors as IT skills have been found to be lacking. In order to govern better, boards should also address their talent gaps when it comes to cyber security. The Harvard Business Review counsel that for optimal security businesses in ‘strategic mode should have an IT oversight committee chaired by an IT expert’.
PRACTICESThe dynamism of the cyber environment continues to keep board members on their toes. What practices that have worked 6 months previously may not work for the cyber incidents of today. PWC recommend 7 key areas to engage the board’s cyber focus:
- Have an oversight approach to this issue and work alongside a cyber expert
- Understand cyber as an ‘enterprise-wide business issue’
- Understand fully legal and regulatory requirements
- Discuss the competence of the company cyber strategy plan
- Engage in discussions with management about ‘cyber risk appetite’
- Stay up to date with all the right information concerning the programmes put in place and discuss regularly during board meetings
- Monitor cyber resilience in the boardroom at measured intervals
POLICIESThe board need to be kept informed of company-wide policies regarding internal controls, external activities and most importantly training. Especially within the board room, policies regarding communicating highly confidential information to each member should be clear. Introducing tools like secure board portals can allow board members to do so efficiently and securely via a digital platform.
PROCEDURESWhat happens in the case of disaster? How can boards prime themselves and the organisation to respond nimbly to a cyber-attack? Part two of this blog series will focus on the crisis management procedures that boards oversee to cyber breaches before, during and after the event. However, in a nutshell, here are some key questions that boards should be examining according to cyber experts:
- If the company does not have a cyber incident plan, why not? What is the company’s timeline to develop and test one?
- When is the board notified of cyber breaches?
- Should the board participate in or observe table top exercises to better understand the company response plan?
- Does the plan take into consideration preincident preparedness, actions during an incident and post-incident recovery efforts?
TALENT SHORTAGESRemaining agile in the face of cyber attacks means that hiring and nurturing talent is essential, not just on the board but throughout the organisation. A recent 2019 survey by CSIS found that “82% of employers report a shortage of cybersecurity skills, while 71% believe that this talent gap causes direct and measurable damage to their organisations”. By 2022, it is anticipated that there will be a global talent shortage in 1.8 million positions. So where does this leave the board of directors? While it is obvious that a board’s oversight responsibility considers risk governance, ethics and corporate responsibility, talent retention and especially that of cyber security talent can be overlooked. According to Deloitte to oversee potential talent risk boards need to take the following steps :
- Review talent related risks
- Develop measurable outcomes
- Assign the responsibility
- Monitor the talent pipeline
- Align the talent and business strategy
PART IIIn our next blog in this series, delve into cyber resilience procedures, strategy and research. Find out what are some of the biggest cyber security challenges around the corner for board of directors in the rapidly changing cyber landscape.
SECURITY, NOT COMPROMISESOne critical step for boards to take to ensure higher security protection involves securing the highly confidential information they have at their fingertips. By adopting a board portal, like DiliTrust Exec, board members can trust that their data (stored locally on servers in Europe, the Middle East and Canada), is GDRP compliant and ISO 27001 certified. To find out more information about how secure the DiliTrust Exec board portal is, please contact a member of our team today. Read part II of this content series here.
published on 2019/24/07