Engaging the Board in Cybersecurity Policies

Cybersecurity is often an aspect of business operations in which board members find it challenging to stay actively involved and to give meaningful direction to the organization. This is sometimes due to, or is at least frequently attributed to, the inherently complex nature of modern IT systems (and the equally complex security mechanisms placed around them) being beyond the technical understanding of most board members. But, as has been emphasized in previous Kroll “Global Fraud & Risk Reports,” it is more often the human element that leads to cyber-crime, fraud, and data breaches. This is certainly an area where board members and senior business leaders can and should be playing a truly important role.

It appears from Kroll’s latest “Global Fraud & Risk Report” survey that organizations are coming to this realization as well: 22% of respondents will be expanding their current use of board engagement to mitigate cyber risk, and nearly half (40%) are planning to launch new initiatives in the next 12 months to engage their boards.

Leading from the top matters. Employees are all too often referred to as the weakest link when in fact they should be regarded as the first line of defense. Direct involvement and example-setting by leadership should never be underestimated in shaping this mind-set. Trends also show that data losses are more often due to existing business processes that are exploited rather than direct attacks on the technology. Spotting gaps which ingenious attackers may utilize requires business acumen and people skills in addition to technical knowledge.

So how can boards become more effectively involved in cybersecurity risk-mitigation efforts? Taking steps to become directly involved in thoroughly reviewing cybersecurity policies and procedures will go a long way toward demonstrating the importance that the board assigns to the subject. But this is only half the story: If led from the top, testing and validating the effectiveness of these policies can be vital in protecting the cybersecurity health of an organization.

The following seven discussion topics form an effective starting point for boards working on establishing an active role in cybersecurity risk-mitigation efforts:

  • Do you understand your existing cybersecurity policies and procedures? If not, there is a need for these policies and procedures to be rewritten in concise and clear language. These documents are only effective if they are immediately understandable and workable.
  • Are you getting the answers that you need about your cybersecurity posture? Indeed, are you asking the right questions? If the IT and/or cybersecurity leadership cannot properly and fully articulate the strategy for delivering information security, such that this can be fully understood at a board level, then questions need to be asked as to whether the right person is representing the organization in these matters. Boards have a duty to their shareholders and other stakeholders to ask detailed and probing questions relating to the organization’s ability to protect its critical data assets.
  • In drawing up the policies and procedures, have you involved all the business heads? Cybersecurity should not be considered a silo. This is an organization-wide issue that needs input from leadership across the board, particularly when considering the gaps in business processes that may lead to cyber-fraud and business disruption.
  • Have you instructed that incident-response plans be tested? No matter how clear and well-written the policies and procedures may be, if they are never tested under realistic circumstances, then there is no way to determine whether they will work or not. Cyber-crisis table-top exercises (involving leadership) can be the most effective means of identifying (and subsequently remedying) potentially disastrous gaps that would manifest in a real incident. Any test should involve not just your IT/Security team and the points of contact for the executive team and the board, but all those whose expertise you will rely on in the event of an incident—legal, investor relations, HR, external technical experts, external counsel, and the crisis-communications teams, to name but a few of the most important stakeholders.
  • How are you measuring the effectiveness of cybersecurity spending? Boards are often asked to approve large sums for cybersecurity solutions and hires. Yet, what metrics do they have to measure whether these funds have been well spent? Has consideration been given to engaging independent external specialists to test the cybersecurity defenses in the same way that a real hacker would, without the prior knowledge of the cybersecurity team? Testing under real-life scenarios is the only way to effectively know if your security is working. In addition to testing, have you considered having your cybersecurity plans, projects, organization, and budgets reviewed by an independent third party?
  • Are you leading by example? Enhanced cybersecurity often leads to restrictions and tighter controls on device access and usage. When properly explained, it should be realized that these are for the benefit of organizational security as a whole. If boards and executives accept these measures and adopt enhanced security controls (rather than requesting exemptions for convenience), then this sends a message that security starts at the top and must be adhered to by everyone. Personalized messages in support of cybersecurity education programs can also go a long way to promoting organization-wide awareness and responsibility.
  • Have you considered enlisting expert advisors? At the very least, regular board briefings by appropriate and credible cybersecurity experts are a must. Many boards today are going one step further to engage this expertise in the form of non-executive board members. Boards are recognizing the steep cost that data losses and cyber-attacks are exacting in terms of both shareholder and brand value, not to mention operational and litigation costs associated with remediation. By addressing cyber-risk in the same way they do other critical organizational risks—i.e., managing the human factor and enlisting specialist support for legal and technical aspects—boards can play a vital role in safeguarding information assets in ways that meet wide-ranging regulatory and stakeholder expectations.

This article first appeared in Kroll’s “Global Fraud & Risk Report. Used by permission.