Is the board's involvement in cybersecurity really that critical
Most experts agree that one of the most important things boards can do is to set the security tone for the organization. (Also read "Six reasons why boards of director must be engaged in cybersecurity".)
“The board of directors, led by the CEO, should lead collaboration and security awareness across the enterprise,” says Steve Durbin, managing director at the Information Security Forum. "Senior executives understand that the global economy is still not adequately protected against cyberattacks, despite years of effort and annual spending in the billions.”
In discussions with security managers and CSOs across the country, they emphasized that it is crucial for the board to lead cybersecurity efforts. “The board can help the security team to focus on what matters the most to the business,” says Jay Leek, senior vice president and chief information security officer at Blackstone. “It can set the tone to make sure the organization takes security as seriously as it needs to be and that the required resources are available.”
When the board of directors or top executives are in sync with the efforts of information security teams, policies are developed and assets prioritized to be secured in ways that will best insulate the organization from attack. Otherwise, security becomes too focused on regulatory compliance, and passing the tests of regulators become the objective, rather than blocking and responding to adversaries and successful attacks.
LLoyd Marino, CEO of strategy and application development firm Avetta Global
“Because cybersecurity affects the entire organization, it should, without a doubt, require board oversight,” says LLoyd Marino, CEO of strategy and application development firm Avetta Global. “[Yet], while most IT departments and possibly security audit committees are up to speed on risk and risk assessments, most are not concerned with the business vision and matters of innovation, competitiveness, and strategy, all of which are crucial to operational technology and security oversight.”
That creates a disconnect between the actual threats that enterprises face and their ability to meet those risks, explains Monzy Merza, chief security evangelist at Splunk. “Well-intentioned policymakers develop policies to enable organizations to protect themselves,” says Merza, “but implementing policies without focus on critical assets and business requirements only manages to pass audits, rather than stop attackers.”
When it comes to such cybersecurity and risk management decisions, especially when determining the organization’s risk appetite, senior management, the board, and the CEO are the only ones in positions to be able to make that determination, most agree. “Cybersecurity is not one-size-fits-all and is very dependent on the type of organization and the level of risk the organization is willing to accept,” says Eric Cole, fellow and cyber defense lead at the SANS Institute. “All organizations must accept some level of risk and that can only be decided by the board being actively involved in understanding and approving the high level strategic security goals for the organization.”
That high-level strategic insight also is critical when the enterprise is moving to enter new markets, or using new technology. This could include new lines of business, entering into new geographies, or such things as the increased use of mobile, extending its IT out to the IoT, and expanding the use of cloud to more critical data and business processes. When engaging in such initiatives, boards are going to need to understand the data security, data privacy, and regulatory implications of these moves. Likewise, CSOs and security managers will need to know how to implement security controls to meet that level of risk acceptance.
In the years ahead, this may be more crucial than ever because enterprises are expected to increase their investment in mobile and wearable technologies and apps, hybrid cloud architectures, the Internet of Things, and become even more global in the number of markets where they compete.
It’s essential that boards and top executives be involved in these discussions and know how their organization’s cybersecurity efforts are impacted by these efforts – and the importance of these discussions can’t be overstated. “It is actually understated because most boards misunderstand security and therefore are misaligned with how security is implemented within an organization,” says Cole. “If after a breach the board fires the CISO or whoever was responsible for security, it is really saying that they were not involved in security.”