Over the last two years cybersecurity has leaped to the top of the boardroom agenda. If you’re like most board members, though, you haven’t had enough time to figure out how to think about cybersecurity as part of your fiduciary responsibility, and you’re not quite certain yet what questions to ask of management. You may even harbor a secret hope that, like many technology-related issues, cyberthreats will soon be rendered obsolete by relentless advancement.
Don’t count on it. Cybersecurity is taking its place among the catalog of enterprise risks that demand boardroom attention for the long term. It comes along with the digital transformation that is sweeping through virtually all industries in the global economy. As businesses “digitize” all aspects of their operations, from customer interactions to partner relationships in their supply chains, entire corporations become electronically exposed-and vulnerable to cyberattack.
Cybersecurity risk is not new. However, in the last two years multiple high-profile attacks have hit brands we all trusted with our personal information, making for big headlines in the media and significant reputational and financial damage for many of the victimized companies. What’s more, corporate heads have rolled: CIOs and even CEOs have departed as a direct result of breaches. The ripple effect continues. Cybersecurity legislation is a perennial agenda item for governments and regulators around the world, and shareholder derivative lawsuits have struck the boards of companies hit by high-profile cyberattacks.
Although directors have added cybersecurity enterprise risk to their agendas, there is no standard way for boards to think about cybersecurity, much less time-tested guidelines to help them navigate the issue. This chapter’s goal is to help directors evolve their mindsets for thinking about the enterprise risk associated with cybersecurity and provide a simple blueprint to help directors incorporate cybersecurity into the board’s overall enterprise risk strategy.
Establishing the right blueprint for boardroom cybersecurity review
For boards, cybersecurity is an issue of enterprise risk. As with all enterprise risks, the key focus is mitigation, not prevention. This universally understood enterprise risk guideline is especially helpful in the context of cybersecurity because no one can prevent all cyber breaches. Every company is a target, and a sufficiently motivated and well-resourced adversary can and will get into a company’s network.
Consequently, terms like “cyber defense” are insufficient descriptors of an effective posture because they evoke the image that corporations can establish an invincible perimeter around their networks to prevent access by bad actors. Today, it’s more accurate to think of the board-level cybersecurity review goal as “cyber resilience.” The idea behind the cyber resilience mindset is that, because you know network breaches will happen, it is more important to focus on preparing to meet cyberthreats as rapidly as possible and on mitigating the associated risks.
Also important to a board member’s cybersecurity mindset is to be free from fear of the technology. Remember, the issue is enterprise risk-not technical solutions. Just as you need not understand internal combustion engine technology to write rules for safe driving, you need not be excluded from the cybersecurity risk discussion based on lack of technology acumen. Although this is liberating, in a sense, there is also a price: directors cannot deny their fiduciary responsibility to oversee cybersecurity risk based on lack of technology acumen.
Given a focus on enterprise risk (not technology) and risk mitigation (not attack prevention), the correct blueprint for cyber-security review at the board level can best be expressed through the following three high-level questions:
- Has your organization appropriately assessed all its cybersecurity-related risks? What reasonable steps have you taken to evaluate those risks?
- Have you appropriately prioritized your cybersecurity risks, from most critical to noncritical? Are these priorities properly aligned with corporate strategy, other business requirements, and a customized assessment of your organization’s cyber vulnerabilities?
- What actions are you taking to mitigate cybersecurity risks? Do you have a regularly tested, resilience-inspired incident response plan with which to address cyberthreats?
Naturally, these questions are proxies for the industry-specific and/or situation-specific questions particular to each organization that will result in that organization’s most productive cybersecurity review. The key to formulating the relevant questions for your organization is to find the right balance between asking enough to achieve the assurance appropriate to board oversight, but not so much that management ends up spinning wheels unnecessarily.
How much board oversight is too much when it comes to cybersecurity? Learn more about board-level governance in Navigating the Digital Age. Get the book here.