If you sit on a board, you must get smart about cybersecurity. You have no choice. Not only that, you must ensure that your fellow board members are also smart and informed—and that the board has in place formalized processes and procedures to make you all smart and keep you that way.
You can’t exercise your fiduciary responsibility for oversight if you don’t know what questions to ask. Risk comes in various forms, flavors, and factors. We are now dealing with ransomware, data breaches, and DDoS attacks, among others.
We are dealing with potential attacks that can cripple our operations, expose us to lawsuits and regulatory fines, destroy our reputations, irreparably damage customer goodwill, and prevent us from going forward on our journey toward digital transformation. In today’s cybersecurity environment, and tomorrow’s, boards must be proactive, not reactive.
Step 1: Understand and Define the Board’s Role
The first step in getting smart is to understand and define the board’s role. The board’s primary responsibility is oversight. Boards do not have to enact cybersecurity policies, but they have to understand which policies are in place, if they are being monitored, and how they are being enforced.
If the organization is not doing enough to protect vital assets or to ensure regulatory compliance, boards have a fiduciary responsibility to at least ask questions and, if they are not satisfied with the answers, then to take action. When we look at typical governance responsibilities for cybersecurity, we see that the board is the second line of defense, as follows:
First line of defense: Line management
Second line of defense: Board oversight
Third line of defense: External consultants / Cybersecurity advisors
Step 2: Hire the Right Experts
Recognizing that the chief responsibility is oversight, the next step is for the board to become educated about cybersecurity. Collectively, the board must have the knowledge, awareness, and insight to ask the right questions. Then, the board should be able to interpret the answers and put them into the context of the organization’s overall risk profile when it comes to cybersecurity.
How does the board attain that knowledge and insight? I believe that cybersecurity has become so important—and the risks so profound—that the board needs to hire its own experts to advise and guide them. Relying on reports and briefings from executive management is essential, but not enough. The board needs to hire experts on its own, not just to interpret what management is saying and doing, but also to understand which questions to ask management—and when.
Step 3: Personalize Cybersecurity
Board members need to be aware that they are a valuable target for adversaries, and they must be role models for others in the organization when it comes to following best practices in cybersecurity.
If you are on the board of an organization, you have access to vital data that could be of extreme value to adversaries. You also likely have a wide range of permissions to access even more data. Finally, adversaries may assume that board members are more “old school” and perhaps less “cyber-aware” or sophisticated, so they may target them for attacks.
Your devices, personal emails, and social media accounts are all areas where you can be compromised. And you must always be cognizant of the risks. For example, traveling to certain countries can expose your organization to significant risk. When traveling, be careful with your IT assets. It may be worth leaving unnecessary data or equipment at home. You should also take special care with mobile devices and network connections. Big Brother may be watching.
Establish the Necessary Checks, Balances, and Processes
Getting smart and staying smart about cybersecurity are not one-time activities. Rather, they are ongoing processes that require constant care and upkeep.
Boards are generally good at making long-term decisions. They may have an annual meeting with an annual budget and a full year to react to changes. In the case of cybersecurity, that does not work. The landscape is much too dynamic. Taking a year to react to anything is not reacting at all. It’s more like falling asleep at the wheel when the bus is going 110 miles an hour. So, boards need to be agile, proactive and, when necessary, reactive to current trends and events.
Board members also need to understand that you do not become more secure simply by spending more money. IT and security managers may want to hire more people and deploy the latest and greatest advanced technology. In certain circumstances, that may, indeed, be appropriate. But the people directly responsible for cybersecurity within the organization must be smart about it. I am a big believer that 80% of risk can be eliminated through basic cybersecurity hygiene.
When it does come to technology, however, the board should listen for specific language coming from their teams. Words like “automation” and “efficiency” are essential in today’s cybersecurity world. I often advise boards: The days of doing manual security are over. If we do things manually, the bad guys are going to beat us every time. Security in the 21st century has to be automated and boards need to understand that.
Another important point: We have to be smart about our technology investments. When we buy or build something new, we must get rid of the older technology. Your organization does not need to compile technology. In fact, when it comes to cybersecurity, that approach will actually work against you.
Prepare for the Future
From the vantage point of the board, what can we do and how can we ensure that we as individuals and as leaders of organizations can be better prepared? Here are some suggestions:
- Focus on risk mitigation. If you can identify risks, you can take steps to quantify them. There are certain flex points when risk is heightened––during a merger or acquisition, for example. Be aware of these flex points and take the proper steps to mitigate risk when appropriate and necessary. In our organization, we have a three-year rolling risk mitigation program. Every company has a different view of the types of risks they are willing to take. It is critical, as a board member, to understand and help define the company’s overall risk acceptance.
- Invest in education, training, and awareness. Just as everyone is responsible for cybersecurity, so should everyone participate in education, training, and awareness programs. These programs need to expand beyond employees and contractors and move directly into the board room. Remember, it can take just one person failing for a breach to succeed.
- Measure, monitor, and mitigate risk. CISOs and CEOs need to be able to develop measurements so that board members can monitor progress and ensure that the organization is moving in the right direction when it comes to cybersecurity.
- Develop high-level framing. Board members need a high-level framing of risks and opportunities, even if it’s a half-day or a few hours every quarter, to educate them on the fundamentals of cybersecurity. They also need to be educated on some of the new technologies, as well as the importance of automation.
- Prepare for the worst. Crisis management, incident response drills, and cyber-incident simulations are needed at all levels, including the board. Start small and simple, and then increase the severity and sophistication to bridge the gap between technology and response.
- Translate security into business language. Organizations should have a business-oriented equivalent of a cybersecurity framework for board members. This would spell out the organization’s security model in a non-technical matter that focuses on risk, using business terms that board members can easily relate to and understand.
As a board member, you have a responsibility, not just for your own personal cybersecurity protections, but also to the organization as a whole.
If something goes wrong, you will be held accountable. It’s a difficult challenge, to be sure, especially in this fast-changing world. But it’s a challenge every board member should be ready to take on with passion, enthusiasm, and commitment. The future of the Digital Age is in our hands. Let’s make sure we are prepared.
Mario Chiock is a Schlumberger Fellow and former Chief Information Security Officer, where he was responsible for developing the company’s worldwide cybersecurity strategy. This article was excerpted from the newly released book Navigating the Digital Age, Second Edition.