Six reasons why boards of directors must be engaged in cybersecurity

Cyberattacks are getting close, and certainly of increasing importance to boards of director

0 title 6reasons
Room for improvement

When one thinks of systematic risks to a large enterprise, cyber attacks and data breaches don’t usually top the list; such things as black swan events, natural disasters, poor business execution, and credit worries usually do. But cyberattacks are getting close, and certainly of increasing importance to boards of director. However, this isn’t true of all boards; as our recent Global State of Information Security Survey revealed the vast majority of enterprises meet with their CISO once a year or less. This slideshow demonstrates why that needs to improve.

Cyberincidents create enterprise-wide risk
Cyberincidents create enterprise-wide risk

Data breaches, cyberattacks, and significant events that change risk affect the entire enterprise, not just a business unit or a single division. That’s why the decisions necessary to mitigate such threats must be decided at the highest levels of the organization.

Lawsuits and compliance
Lawsuits and compliance

The risks stemming from regulatory mandates and related lawsuits vary among geographic regions, from country to country, and from business unit to business unit. The board and the CEO are in the perfect position to know where the enterprise is today, where it will be tomorrow, and understand how to best guide risk management decisions.

Brand-busting headlines
Brand-busting headlines

When the news breaks about a significant data breach and customers, employees, shareholders, partners, and the media are all asking questions about the incident, the entire organization is affected and the board needs to be aware of the risks the enterprise faces, how they are mitigated, and how the organization will respond if the worst should happen.

Rapidly changing enterprise technology
Credit: sndrv
Rapidly changing enterprise technology

The decisions on technology strategy often need to be embraced at the highest levels, and this will be more important than ever before in the years ahead. Enterprises will need to increase their investments in mobile and wearable technologies and apps, hybrid cloud architectures, and the Internet of Things, and become even more global in the number of markets in which they compete.

Security culture succeeds when top down
Credit: wiloma
Security culture succeeds when top down

Too many CSOs feel like Sisyphus from Greek mythology, who was punished by being forced to roll a large boulder uphill, see it roll back down, only to have to push it up again. He had to repeat this forever. Sounds like the breach response cycle many enterprises are engaged in today. And they’ll stay stuck there unless they get support from the highest levels. Only the board and the CEO can help the security team focus on what matters most, provide the resources to secure it, and set the tone for the culture of the entire enterprise.

The majority of the critical infrastructure is managed by the private sector
The majority of the critical infrastructure is managed by the private sector

Most of the critical infrastructure industries – chemical, communications, financial, IT, manufacturing, food and agriculture, and healthcare – are owned and operated by the private sector. When it comes to important data sharing and information sharing about threats and vulnerabilities, only the board, the CEO, and other top executives can decide what information should and shouldn’t be shared, and how to collaborate with the government and others in their sector to not only keep their organizations safe, but their industry and the nation as well.

Read the full story on why boards should be deeply involved with cybersecurity.