NACD business risk

Directors Must Go Beyond Compliance to Limit Risk

Digital transformation can make businesses more efficient and profitable, but it also introduces new entry points for hackers throughout an enterprise, significantly increasing business risks from cyber-attack, according to a cyber-focused chapter of the National Association of Corporate Directors’ (NACDs’) recent publication, 2018 Governance Outlook: Projections on Emerging Board Matters. As a result, board members are devoting much more time and energy to cybersecurity discussions, even as governments adopt new regulations to prevent potentially devastating outcomes of weak security.

The chapter, written by Ryan Gillis, Palo Alto Networks’ vice president, Cybersecurity Strategy and Global Policy, suggests that while regulatory compliance is a solid start to maintaining tight cybersecurity, the increasing volume of rules can become a trap for board members: it’s easy to get stuck in the weeds, distracting businesses from real-life situations. Instead, the goal should be to extend beyond surface-level compliance and dive deeply into guaranteeing the long-term vitality of an organization. To help stress the need to combat cyber risk, here are a few key projections from the chapter that board members should consider:

1. Regulatory developments will keep emerging. The EU’s upcoming General Data Protection Regulation (GDPR), its Network and Information Security Directive (NIS), and Singapore’s Cyber Security Act are all well-intentioned. But new regulations typically cause confusion, at least in the short term. It takes time and energy to get up to speed, and with these regulations it is important to do so quickly because they can levy massive fines for non-compliance. This can create a distraction, diverting resources from threat detection to things like reporting and accounting. In other words, compliance—though helpful—does not equal protection.

2. Risks will increase in variety and volume. Automated attacks, which are nearly impossible to prevent without incorporating new defense strategies, are on the rise. It’s crucial that board members understand how those new strategies will not only affect workflow and budgets, but how the roles of the CIO and CISO must shift to keep reducing risk.

3. Attackers will become stealthier and more ingenious. The scale and intensity of attacks are increasing, so expectations and standards need to go way up. That way, boards can ensure their organizations are catching the risks instead of being blindsided.

What does this mean for board members?

With the changes afoot in regulatory requirements, it’s important to take a proactive stance without becoming a micromanager. A leadership role without excessive control will help boards form genuine partnerships with senior cyber risk managers. This kind of relationship can help fortify plans more effectively, allowing organizations to better reshape cyber risk reduction strategies.

Additionally, board members can educate themselves. According to an NACD survey of directors, only 73% of respondents said their boards had “some knowledge” of cybersecurity risks. And according to a NASDAQ study, 91% of board members cannot interpret a cybersecurity report.

A thorough understanding of enterprise cyber risks and corporate strategies to mitigate them will help board members and executives understand what additional resources—be it people, processes, or technologies—they may need to limit risk. This way, organizations will be able to keep their eyes peeled for cyber risks while maintaining regulatory compliance, instead of getting caught up in the regulations.