There are five key actions that every public and private board of directors’ members need to take as they support cybersecurity and risk around cyber for their companies.
Cybersecurity threats are evolving faster than ever. In the last year, we have seen recent cases, allegations, and actions being taken against leaders and companies by shareholders/investors, SEC, and more. “Who is to blame” is never the same answer. But the enforcement and seeking the answer and accountability for wherever that answer lands is heavily on the rise.
This not only worries and impacts company executives, but it also worries (or should be worrying) board members and audit committee members as well. The days of blaming the IT or security leader are no longer legit (although those leaders have not escaped their accountability and role in whatever goes down).
I’ve previously written articles on how CISOs (or senior cyber leaders) and CIOs can be more effective together. I have also written on how the C-Suite could be better supporting their security teams and showing more ownership, commitment, and support for what their company needs.
This article shifts the focus more to the external leadership that resides in boards of directors, audit or risk committees, or whatever board entity may be chartered to oversee cyber and enterprise risk. While there can be internal company members serving in some of these positions, the focus of this guidance is more intended for externally acquired board members. These individuals are often retired or later in their career, which can sometimes be problematic for staying ahead of the curve on certain topics (although I have seen some very astute and up to date board members that do not fall into this stereotype). Regardless, I often lean into the stereotype as I’m coaching corporate practitioners and leaders in their preparations for BOD/AC meetings. Keep it simple, have most of your material in backup, and prepare like you are preparing to present to a super smart grandparent who may not have all the depth and context that you do!
But that is how I prepare the company leaders to be ready for boards. How should boards be ready for company leaders?
The National Association of Corporate Directors (NACD) recently released updated guidance on cyber risk oversight for directors (nacdonline.org).
Here are some key takeaways from that advice as well as some of my own tips and advice for board members:
- Shift from IT Focus to Business Risk: Cybersecurity isn’t just an IT issue, it is a business risk impacting everything from reputation, operational resilience, to financial stability. And guess what, most of the root cause incidents do not start with a technical exploit, although that usually comes soon enough. Over 80% of incidents start with the human element. In most cases, the human element is an employee or contractor getting manipulated by a bad actor (insider or external attacker) to open the locked door to the house. Action: Board members should be pushing for a cultural transformation, and this will not happen from an IT leader only driven approach.
Additionally, does IT know deep intimate details about business operations and processes? Do they know every nook and cranny of critical business processes that may be exploited or accidentally broken? Do they even know what your company’s critical business processes and information are? In my experience very few do, some are guessing, and most do not. Action: Board members should be pushing for business risk context and prioritization focused on what matters most first. That does not mean a cyber program should STOP there, but a random approach or trying to boil the ocean will work 0% of the time.
Recent incidents have rebutted long-standing misconceptions that IT or security should own business continuity planning (BCP) in addition to disaster recovery planning (DRP). I have always been firm that IT should own DRP, but business executives and leaders of departments that oversee critical operations must own BCP (even if an IT leader is accountable for facilitating a process for the organization). The recent Change Health and sweeping instances of hospital-targeted ransomware incidents have opened the eyes of many leaders that BCP plans need to be comprised of what business leaders have pre-planned to do when some or all their IT critical systems are rendered useless. For hospitals, the simple example is paper medical record charting. 40–60-year-old nurses have become the heroes of BCP to resurrect these processes in both proactive and reactive fashion. Action: Members need to push for accountability in business continuity planning and ask tough questions around what the plans are and how they will work. We’ve seen a significant uptick of BCP tabletops being requested – some in concert with cyber incident tabletops and some stand-alone.
- Embrace Ongoing Education: Directors don’t need to be technical gurus, but they do need to have a basic understanding of cyber threats, business risks and critical areas of risk/focus, and knowledge of best practices. Several resources are available, including NACD’s Cyber Risk Oversight Handbook. Action: Board members should seek independent education on cyber – as education from the company you are supporting may contain “confirmation bias” to reaffirm some of the approaches and decisions that have been set. At Reveal Risk, we’ve had the distinct pleasure of supporting all levels of the leadership chain (from CISOs and their teams, to business executives, to boards and audit committees). If knowledge and communication can get better, companies can make better decisions and reduce or take risks with more intention.
- Ask Tough Questions: Don’t settle for generic reports. Engage with management, understand the company’s cyber risk profile, and inquire about incident response plans and ongoing vulnerability assessments. I’ve also created some materials aimed at helping senior executives to better support their cyber leader. These materials are also helpful for board members, who need to be skilled at asking similar tough questions. Read more HERE. Action: Board members must become proficient in cutting through the fabricated filters that often occur as messages bubble up.
- Prioritize Resources: Cybersecurity demands dedicated resources. Advocate for adequate budget allocation and staffing for the security team. What are they NOT telling you as the message ladders up into the read-out to you? Is the real story being filtered? Action: Board members can and should cultivate 1:1 relationship within the companies they support to have robust conversations and get datapoints outside of the quarterly board meetings. Senior executives may cringe at the thought of this, but let’s face it, board meetings are formal, structured, and limited (by design) in level of engagement.
- Stay Informed: Keep pace with emerging threats and regulatory changes. Industry reports, conferences, and independent cybersecurity experts can be valuable sources of information. Action: Board members should dedicate a portion (even if small) to staying current with cyber events and trends and seek credible forms of guidance that aren’t content marketing to pitch buying more cyber tools. There is a reason that almost every airport has at least one poster or billboard that has a scare tactic one-liner, and a pitch to ask about or buy a router/tool/service. This is not the sage advice you are looking for.
By following these steps, board members can become more effective stewards of their company’s cybersecurity program, even without a deep technical background.
What are your thoughts on the evolving role of boards in cybersecurity oversight? Share your insights in the comments!
#NACD #cybersecurity #BoardOfDirectors #BoardGovernance #RiskManagement
At Reveal Risk, we evaluate, design, and deliver strong processes and results in cyber, privacy, and risk that work efficiently, are fit-for-purpose, and are sustained. If you want assistance building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to contact us at info@revealrisk.com.
317.759.4453
About the Author
Aaron is a former Eli Lilly IT and security senior IT/Security/Audit/Privacy/Risk leader with over 20 years of experience in the pharmaceutical and life sciences sector. He founded the risk management working group for the H-ISAC (Healthcare Information Security and Analysis Center) which enabled information sharing and benchmarking across pharma, payers, and health care providers. Aaron is a certified Six Sigma blackbelt with career emphasis on building and improving internal processes and controls.
