For the Board, Focus Should Be On ‘Cyber Resilience’

Cybersecurity has taken its place among the catalog of enterprise risks that demand long-term boardroom attention. It is sweeping in with the digital transformation that is taking place in virtually all industries in the global economy of the 21st century. As businesses digitize all aspects of their operations—from customer interactions to partner relationships in their supply chains—corporations become more and more electronically exposed and vulnerable to cyberattack.

For board members, cybersecurity is an issue of enterprise risk. As with all enterprise risks, the key focus is mitigation, not prevention. This universally understood enterprise-risk guideline is especially helpful in the context of cybersecurity, because no one can prevent all cyber breaches. Every company is a target, and a sufficiently motivated and well-resourced adversary can—and will—break into a company’s network.

Today, it’s more accurate to think of the board-level cybersecurity review goal as “cyber resilience.” The idea behind the cyber-resilience mindset is this: Because you know network data breaches will happen, it is more important to focus on preparing to meet cyber threats as rapidly as possible and to mitigate the associated business risks. Given this focus on enterprise risk and risk mitigation, the correct blueprint for cybersecurity review can best be achieved by asking these high-level questions:

  • Has your organization appropriately assessed its cybersecurity-related risks?
  • What reasonable steps have been taken to evaluate those risks?
  • Has the organization appropriately prioritized all cybersecurity risks from most critical to noncritical?
  • Are these priorities aligned with corporate strategy, other business requirements, and a customized assessment of the organization’s cyber vulnerabilities?
  • What action is the organization taking to mitigate cybersecurity risks—i.e., is there a regularly tested, resilience-inspired response plan with which to address cyber threats?

Naturally, these questions are proxies for the industry-specific and/or situation specific questions particular to each organization. The key to formulating the relevant questions for your organization is to find the right balance between asking enough to achieve the assurance appropriate for board oversight, but not so much that management ends up floundering in the weeds.