Cyber Security: A Board Level Responsibility
- March 3, 2020
- Hiba Sulaiman
The idea that cyber security is a topic of concern for an organization’s board members is not new. For decades, private sector businesses and their IoT devices and networks have been targeted by cyber-attacks. The reason being their financial data storage, and critical infrastructure that threat actors sought to compromise. Data theft may no longer be their primary purpose for attacks. But destructive attacks like WannaCry and NotPetya ransomware outbreaks have raised concerns for a proactive approach to strengthen cyber security stature. A cyber security testing company recognizes the need to increase awareness of cyber security across different hierarchy levels, especially the board members.
Due to the rapidly evolving cyber security threats, senior business leaders and board of directors are paying attention to cyber security strategies. There is a major change observed in how board members and executives are involved in implementing cyber security. Thus, there is a sense of urgency, which increases the need to be more proactive and address this risk beforehand. Having said that, there may still be a lack of clarity among some boards regarding how to add value to improve security. Since businesses use complex technologies and vast networks, they need to strike the right balance between efficiency and security – that is a great challenge for most enterprises. Here are a few tips for the board members:
Recognize Security As A Business Risk and Opportunity
Firstly, it is extremely important for board members to appreciate the impact IT can have on a business. They should consider security as their top business risk and opportunity. Often, security events have a significant impact on revenue and can lead to disastrous results.
Fill In The Technical Gaps
Security experts believe that domain expertise is not important for making smart cyber security decisions. Instead of focusing on technical details, security leaders should understand the risks and how to mitigate them in achieving a strong security stature.
Security concepts can be difficult to understand, so a brief security training for the board can be helpful. It is not only the board members who need this training, but the CISO can also learn something new about the technical details. In order to fill the gaps, security teams need to focus on the security program’s weaknesses and the board’s strengths. It allows the board to interact with security without hesitation and gives them a clear view of the current situation and how to devise a successful cyber security strategy.
Ask The Right Questions
We all know that absolute security does not exist. Although companies hire a cyber security testing company to evaluate and implement effective cyber security strategies, yet it is imperative for them to introduce a proper security program. So the best way to assess a security program is by focusing on the economic trade-offs. Board members should ask meaningful questions like are you utilizing the resources to resolve problems? They also need to understand if they are on the right track and ask what evidence would indicate that they are wrong? And how to find out that evidence?
These questions should be helpful for the CISO and Directors to make more strategic decisions regarding security. Since there have been tremendous technological changes in the past few years, it is essential to step out of the comfort zone and assess the consequences of security incompetencies.
Use The Right Format To Communicate
Typically, members of the board meet the CISO once a year, but there are companies that meet twice a year. Boards may also ask the CISO for frequent updates if the risk is higher than their threshold.
In addition, there are informal and unscheduled meetings that improve relationships. These informal meetings keep the strategy aligned and can be valuable in case of unforeseen incidents. However, boards should be careful and never exceed meetings as they can be inefficient.
With cyber security becoming extremely important, most of the organizations have created security committees. Most security leaders do not buy the idea and consider this might be distracting from the main business goal. Thus, if a company chooses to form a proper security committee, the members should be independent and have the right expertise in their domain to formulate and report the security status to the board.
Evaluate The Effectiveness Of The Security Program
There should be a top-down method so it is important for the CISO to have a tight grip on security and compliance risks. CISO’s vision and strategies should support the direction of the company to strengthen cyber security. Since incidents are bound to happen, it is important to detect and respond to security threats and mitigate risks.
The board members seek to help CISO and validate the security strategy with questions like what is the best security decision in a company? Or which areas are they reducing their focus? etc.
It is clear that the evaluation of these risks will be incomplete without the metrics required to measure the progress of the security program. Boards should inquire about how the program is measured and how the CISOs know that the measures are reliable. A cyber security testing company ensures that while measuring a security program’s effectiveness, the CISO is also leading in the right direction. The security leader should be able to execute the plan of action and report with due diligence.
It is also important to report to the right executives and board members, or it can pose challenges for the security program. Additionally, validation of the CISO’s cross-functional operation is also important in this regard. Creating the right balance between the board and CISO benefits the company. However, it is not that simple. Yet, if everyone is on the same page, then slight variations in the strategies and approaches can help in achieving success. The good side is, that with the right questions, approach, measuring progress and considering security as a business risk will help in improving a business’s cyber security position.