How Often Is Cybersecurity on Your Board’s Agenda?   

Have you ever wondered how much damage cyber thieves—or even well-intentioned but occasionally careless employees and business partners—can do over a 90-day period?

Perhaps exfiltrated customer data, compromised employee records or stolen intellectual property? Maybe your computer-controlled assembly line crashed, or your digital supply chain fell apart?

If you’re a board member or C-suite executive, you’re undoubtedly aware that cyber risk increases greatly as your organizational digital footprint expands. After all, the average cost of a data breach is nearly $4 million per incident.

So why are board meetings too often devoid of discussions of cybersecurity-related risk issues?

That’s what I wondered when I saw a survey conducted by consulting firm Deloitte. According to the survey, only 4% of executive respondents indicated that cybersecurity is on board meeting agendas on a monthly basis – a frequency considered best practice. And only 49% of the organizations put it on the board’s agenda quarterly.

Wow.

Just to throw some fuel on the fire, I saw that a study of corporate governance and risk oversight professionals indicated their organizations vet and review third-party business partners irregularly and, sometimes, not at all. In fact, nearly half of the respondents said their third-party risk programs and policies are assessed either once a year, or with no regular schedule.

This is concerning. Given the growing financial, legal, and brand damage that breaches can cause, it’s time for executives to rethink the frequency with which cybersecurity issues are presented, debated and acted on at board meetings.

Board-level communication frequency is key to reducing risk because it provides visibility of relevant facts to those charged with governance and gives them the ability to process the information and get in-depth with the CISO.

Compliance gets a lot of media coverage for all the good reasons. But security and privacy are essential topics at board meetings, not just because they’re part of overarching compliance decisions, but also because they impact the core business.

This is undoubtedly true whether you are part of a small, fast-growing business, a mid-sized government agency, or a multinational conglomerate operating under the umbrella of myriad regulatory agencies and subject to dozens of disparate statutes and frameworks. If you operate in a highly regulated space, like health care, finance, energy or other critical infrastructure, the stakes are even higher.

It’s not just public companies that need to pay attention: Data from the National Association of Corporate Directors indicate that less than half of private company directors feel their own understanding of cyber risk is currently strong enough to provide effective board oversight.

We also used to think that old-school industries like trucking didn’t have to make cybersecurity a priority because so many of their processes were still analog and manual. But that’s changed too, thanks in no small part to their increased use of technologies like item-level RFID, connected vehicles, and IoT-class sensors.

Irregular checkups are not a smart path forward – what’s needed is continuous board oversight of cybersecurity. Here are a few pointers to keep in mind when it comes to making better discussions of cyber risks a routine part of your board meetings:

• Board members don’t need to get into the technical weeds of cybersecurity conversations. CISOs and other leaders of technology addressing the board need to focus their message on the trends they are seeing, which groups are being impacted, what steps are being taken to reduce risks and, importantly, what resources will be needed in the near, intermediate and long term.
• Focus on vulnerabilities. Are the organizations’ employees committing human errors?Are third party vendors’ cybersecurity risk profiles out of alignment with your own? Are incursions coming from new geopolitical sources? Are your new IoT sandboxes being compromised because security has not been integrated into existing DevOps processes?
• Irregular board meeting discussions on cybersecurity are irregular for a reason. Maybe your board members aren’t as attuned to the new risk factors, or maybe your C-suite executives haven’t made it a priority. Take a long, hard look at your processes for defining, identifying and remediating risk—especially risk definition. The very nature of cyber risk is constantly changing, and this must be understood and assessed at the highest level of the organization.

As a privacy professional, I understand that presenting to the board is also a moment of accountability. It’s a good way to get their understanding that the organization is being diligent and to build a relationship of trust. Compliance may not be considered sexy, especially if nothing happens. If things aren’t broken it’s a good thing, but we need to avoid being complacent and have at least regular discussions on these topics to get the board to understand existing risks and how they are managed.

A good place to start is the relationship with members of the audit committee, which is tasked with overseeing compliance, privacy and cyber risk. They can help put cybersecurity on the radar of the whole board, get their support and more resources, and align on how you are measuring success. Of course, board members will take the same sober approach to cybersecurity as they do with finance, operations, sales and marketing. They will ask probing, “high-yield” questions.

For the CISO—and supporters in the executive suite—keep in mind that cybersecurity, compliance and privacy are fundamentally strategic business issues, not just technical ones. IT, SecOps and other functions traditionally seen as the domain of engineers and programmers no longer are just enablers of tools, and security must be seen as more than just firewalls or malware detection.

When that happens, organizations will have a much easier time getting cybersecurity on the board’s agenda and managing risk better.

Paola Zeni is Senior Director of Global Privacy at Palo Alto Networks.