One of the biggest challenges facing the C-suite and boards is the failure to comprehend the universality of cyber security threats. Credit: REUTERS/Elijah Nouvelage Yahoo Inc. recently told the SEC that its senior executives failed to "properly comprehend or investigate" the 2013 and 2014 security breaches that affected more than 500 million accounts, according to a review by an independent board committee. The review found fault at several levels of the organization. There were problems with internal reporting, management, communication around the breach, the company said. The fallout from these breaches has been severe. In addition to several class action lawsuits, the breaches also put Verizon's $4.83 billion pending acquisition of Yahoo! in jeopardy. Now, in addition to all of these problems, the findings of the board committee were accompanied by financial fallout for the company's CEO, Marissa Mayer. The board decided not to award Mayer her 2016 cash bonus and Mayer offered to forgo her equity award in 2017 and the board accepted. When it comes to cybersecurity, the onus is on boards and C-suite executives to establish clear business processes and accountability and as well as clear lines of communication. If that wasn't clear before, it should be crystal clear now. It's tempting to sit back and point fingers at Yahoo! but the reality is that this breach is hardly an isolated incident. One of the biggest challenges facing the C-suite and boards is the failure to comprehend the universality of cyber security threats and the negative impact of a major cyber security breach. This failure to comprehend the scope of the problem means the necessary reporting and processes needed to effectively manage this risk are neglected and de-prioritized. Harvard Business Review published a new study that sheds light on exactly how serious this problem is. The study evaluated responses from over 5,000 board members from over 60 countries and while cyber security ranked as one of the top political issues and directors see it as an urgent global issue, most failed to make the connection between the immediacy of these risks and the processes in place to manage them. In fact, when asked about reviews of data breach contingency plans directors gave their boards extremely low marks. Even worse, of the 23 business processes directors were asked to rank the ones related to cyber security ranked dead last. These failures to comprehend and effectively manage cyber security issues at the board level are a serious problem. An IBM study found that the average cost of a data breach is $4 million. A recent Cisco study found that 50 percent of companies faces public scrutiny after a breach, 22 percent of them lost customers, and 23 percent lost business opportunities. Cyber security can be a complex and challenging topic for non-technical executives but there are many concrete things boards can do to prioritize these issues. Here's a list of five things every board should do today: Make cyber security briefings a regular agenda item at board meetings. Bring in an expert; if there isn't a cyber security expert on the board bring one in or hire an external expert. Make sure these risks are evaluated as business risks; resist the temptation to consign them to the audit committee. Hold executive management accountable for evaluating cyber security risks maintaining response plans. Build cyber security into the organization’s long-term business strategy and review it whenever new business initiatives and product or service are evaluated. None of these recommendations is surprising — there is a lot of information available to boards that want practical advice on how to address cyber security issues. The real cyber security questions for most organizations are connected with leadership and prioritization. I've been sitting on boards (and executive teams) advocating for over 17 years and I've found that the answer to these question determine how effectively an organizations adapts to the evolution of cyber security threats. Related content opinion Who makes better cybersecurity decisions, men or women? There’s a common perception that men and women make decisions differently. By Tammy Moskites Feb 16, 2017 3 mins Careers Security opinion Cybersecurity needs a new gender playbook How to play a leading role in a male dominated industry, while also empowering women. By Tammy Moskites Nov 03, 2016 4 mins Careers IT Leadership opinion Attracting female talent: How to tackle the cybersecurity gender gap head on Practical solutions to make cybersecurity careers more appealing to women By Tammy Moskites Oct 03, 2016 6 mins Careers opinion 4 important tips for mentoring, coaching and growing women’s roles in cybersecurity There is no single solution to foster employee growth in the cybersecurity industry, or any industry for the matter. However, there are some tips, tricks and best practices to help women excel and thrive in an industry largely dominated by men. By Tammy Moskites Sep 02, 2016 4 mins Careers IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe