A recent study from the National Association of Corporate Directors highlights that one in five directors is dissatisfied with the quality of cyber-risk information that the board gets from management. Board members who felt their company was properly secured against a cyberattack fell to 37% in 2017 from 42% in 2016.
One of the primary reasons for this drop in cybersecurity confidence is that most boards simply don’t feel qualified enough to push their chief security officer for answers on what vulnerabilities their company faces and how they’re protecting against today’s attacks. As a result, most board-level conversations are general in nature, such as, “Are we spending on the right things?”
Cybersecurity needs to be a board-level discussion, and a vigorous one. Just consider the recent headlines illustrating the risks. FedEx and Maersk each forecast $300 million in losses tied to the NotPetya attack. This year, it is estimated cybercrime will cost businesses more than $2 trillion—a four-fold increase from 2015. And according to data from Juniper Research, the average cost of a data breach will exceed $150 million by 2020. The risks are not just financial, they could completely paralyze a business.
So how can board members get their hands around the issue? One of the biggest problems boards face is that they simply don’t have enough of an understanding of how attackers target companies and what the proper response should be. Security needs to be more than a series of patches or spending on security technology. Board members need to be able to understand their organizations’ vulnerabilities in context with their security capabilities.
There are a lot of resources available for board members to educate themselves on the security challenges their businesses face. A great place to start is the NACD’s Director’s Handbook on Cyber-Risk Oversight, which lays out five principles creating the framework for a proactive means off addressing cyber risks. It’s a practical guide including specific tips, templates, and resources for implementation.
The board’s enterprise risk management committee should also discuss the organization’s cybersecurity risk and preparedness directly with the executive team. In these discussions, there are three important points to understand.
First is what is being protected. Do we know what our assets are (IT devices, intellectual property, applications, etc.), especially in the autonomous, connected world we live in? How are we protecting those critical assets? How do we quantify cyber risk internally, and how is that tracked and benchmarked over time?
Second is who might attack. What are the threats that are the most concerning, and how have those changed over time? What is the model we are using to think about insider threats? How about threats originating in our supply chain?
Finally, discuss how the organization plans to defend against those attacks. Are we falling into the trap of assuming we can simply prevent every threat? What is our response strategy? Are we providing our security teams with the tools necessary to stop today’s attackers? How are we making sure we aren’t chasing the latest security and tech fad? What are our people and process challenges when it comes to security operations (burnout, training, knowledge management), and how are we managing them?
Once they have an overview of the risks and a framework, board members will be better equipped to drill down to their companies’ specific risks.
The cost and impact of cyberattacks and data breaches has been well defined—enough so that boards can no longer delegate the oversight of cybersecurity to the executive team. By understanding an organization’s vulnerabilities and position within the broader attack landscape, board members can better address shortcomings and potentially start mitigating those risks for their companies.
Betsy Atkins is CEO and founder of Baja Corporation and author of Be Board Ready. She currently sits on the boards of Wynn Resorts, SL Green Realty, Schneider Electric, and Volvo Cars. Rahul Kashyap is president and CEO of Awake Security. He previously was CTO at Cylance, a cybersecurity software company acquired by BlackBerry in 2019.