As more public security breaches occur and business disruptions caused by ransomware increase, board members have started to pay more attention to cybersecurity. As a result, board members need to be cyber-savvy. In the Top Security and Risk Trends for 2021 study, Gartner identified that having cyber-savvy boards was a top priority for organizations. The cause was due to the number of highly publicized security breaches that is only continuing to grow. As cybersecurity becomes more relevant with each passing day, here are three reasons board members should become cyber-savvy to pay closer attention to security posture and establish a cyber-aware board.
1. Cyber Risks = Business Risks
In the World Economic Forum’s 2021 Global Risks Report, cybersecurity failure was ranked as one of the top five short-term business risks. Among technology, it is the number one business risk. The concern for cybersecurity failure only continues to grow as organizations become increasingly digitalized and dependent on technology.
Digitally transformed companies should make cybersecurity and data-related risks their top priority. Implement risk management strategies and cybersecurity best practices to alleviate these cyber threats. By keeping cyber threats and risks as a top priority, organizations will be able to mitigate and minimize the threat surface that cyber risks encompass.
2. Everyone is Responsible for Cybersecurity
While cyber- attacks target the digital network of an organization, they also affect the physical world. Gartner predicted that by 2024, 75% of CEOs will be “personally liable for cyber-physical security incidents.” This is because incidents related to cyber-physical systems (CPSs) can lead to physical harm to people, destruction of property, or environmental catastrophes. T,he financial impact of a cyber-physical attack is also expected to reach of $1 billion USD by 2023.
With such high threats – both on human life and financially, organizations who suffer a cyber-physical security attack will experience significant losses. As a result, industry leaders and board members must take action to mitigate and minimize the risks. Everyone within an organization must implement and practice actionable security measures. This is because cybersecurity does not solely fall under the IT department’s responsibilities.
This is because cyber criminals exploit every possible means to launch cyber-attacks. This includes evolving the technology they use as well as targeting individuals within an organization. Cyber criminals target anyone who has access to an organization. They use social engineering to take advantage of your trust. For example, spear phishing often uses social engineering to target high-ranking executives. The email appears to be from a trusted individual, which may result in an executive carelessly clicking on a suspicious link or making a faulty payment.
Anyone in an organization can be targeted by a cyber-attack. As such, it is critical for organizations to emphasize the importance of cybersecurity among everyone within a company.
3. Increase Your Board’s Cyber-Resiliency
In Gartner’s 2021 Board of Directors Survey, the second-highest source of risk for an organization after regulatory compliance were the board of directors. Therefore, by increasing the board’s cyber-savviness, you would also be increasing your board’s cyber-resiliency. This would reduce the cyber risk to your organization.
Like traditional financial losses and business disruptions, cybersecurity incidents should be treated with the same vigilance. Preparation for cybersecurity incidents should be made to minimize potential business losses and disruption. This is especially so because cybersecurity affects the digital world which connects various departments within an organization. An incident or breach in one department may affect the security of other departments or organizations, affecting supply chains and even industry sectors.
The need to increase board members’ cyber resiliency has started the shift to creating cyber-savvy boards. To do this, the Board of Directors should include an IT professional amongst the board members or create a dedicated cybersecurity committee. In this committee, an IT professional or third-party consultant should lead the team. Having an expert on the board helps explain the cybersecurity situation and threats more clearly to board members that have not experience in cybersecurity.
What Cyber-savvy Boards Bring
Board of Directors becoming more cyber-savvy will bring different types of changes in an organization’s cybersecurity. With a clearer understanding of the cybersecurity landscape, board members will start to:
- Increase support to address the cyber threat landscape. (ie. Increase budget and resources)
- Increase scrutiny and expectations from the CISO and security teams
With the increased support and expectations, board members will want to understand what improvements are being made to their organizations’ cybersecurity landscape. As a result, the board members will most likely set requirements to see how well the measures implemented are performing. This will observe how well the cybersecurity measures protect the organization from cyber-attacks while maintaining business continuity.
How to Become Cyber-savvy
As a cyber-savvy board, you should focus on the following cybersecurity topics:
- Cybersecurity Strategy: Creating a cybersecurity strategy and roadmap allows you to proactively protect your organization’s assets from cyber threats. With a security roadmap, you will have a basic foundation for your cybersecurity, which will help you adapt to new cyber threats and regulatory requirements.
- Policy Review: You should always evaluate your most recent policies to ensure they are adequate to protect your organization. Alongside policy review, the board should also look into and review the budget allocated to cybersecurity. This is to ensure the department is properly funded to implement security initiatives.
- Lead by Example: Employees look up to their superiors to see how they should act. As such, company’s leadership must follow and support cybersecurity polices implemented in a company.
- Business Continuity: Your organization needs more than just a cybersecurity strategy implemented. It is critical for organizations to have a cybersecurity plan that will match with your business objectives. As such, having a cyber incident response plan is necessary to ensure your organization will continue to operate effectively even during a cyber-attack.
- Continuous Monitoring and Assessment: Board members should continuously monitor and revise your organization’s cybersecurity controls and measures. This will ensure the cybersecurity measures implemented are up-to-date and effective.
- Cybersecurity Awareness: As mentioned before, the responsibility of cybersecurity does not fall onto one individual or department. Therefore, organizations should implement a comprehensive cybersecurity education program for all employees in their organization. This will promote a stronger cybersecurity culture and encourage employees to be responsible when addressing cybersecurity-related situations.
Conclusion
Board members have the duty to oversee a company’s management of cybersecurity, which includes the oversight of risk mitigation strategies, systems, processes, and controls. To ensure these risk mitigation items are appropriate and effective, the board needs to have information about cybersecurity risks to ensure they are completing their oversight responsibilities properly.
To fulfill these cybersecurity responsibilities, boards can leverage the intelligence of Cyberator to merge and map cybersecurity frameworks against the existing and future posture of the organization. Cyberator provides a maturity report that presents the metrics for the maturity of the organization’s cybersecurity program. As a result, boards will better understand the state of their organization’s cybersecurity.
Cyber-attacks are no longer “if” situations. Instead, you should address cyber-attacks as a matter of “when and how often” it will occur. Cybersecurity should not be treated as an afterthought, and it should be considered a top priority amongst organizations. This is to ensure the safety of critical assets, brand reputation, and regulatory compliance. By having a cyber-savvy board, your organization can promote cyber resilience and business continuity. This will ensure the safety and security of your organization’s digital landscape.
If you found this blog useful, please share with others: