Why Directors Must Lead Cyber Defense and How
Data breaches and ransomware attacks are on the rise along with an increase in financial and reputational cost to business, industry, universities and others. The trend will likely continue until governing boards drive cyber defense strategically and earnestly, including making tough decisions on the investment of resources.
Despite all the attention given to the risk and consequences of a cyber attack, many organizations have neither developed a comprehensive cyber strategy nor prioritized the resources needed for information security. Surprisingly, governing boards by and large have not taken the initiative to establish and maintain cyber vigilance.
In an APCO Forum post two years ago about the vulnerability of academic institutions, I encouraged university leadership and corporate C-suite executives to elevate cyber defense to the highest levels. However, according to a recent report jointly conducted by NightDragon and the Diligent Institute, a mere 12 percent of S&P 500 companies have boards with the needed credentials to ensure cyber risk is properly handled. While cybersecurity is increasingly discussed, an overwhelming majority of the S&P “do not currently have an executive with specialized cybersecurity experience on their board to guide them on risk mitigation efforts,” according to the report.
While the options for governing boards are numerous, directors can quickly take four steps that will make an immeasurable and positive impact.
Educate Themselves
The NightDragon and Diligent Institute survey uncovered a “significant gap in expertise and education at the board level.” Simply put, too many boards are not cyber savvy.
For too long, cybersecurity strategy was left to the CISO and the CISO alone. While network security is a complicated and constantly evolving matter, directors don’t need a computer science degree or deep technical expertise. What they need is a working knowledge that equips them to ensure their organization has the latest policies and protocols to protect sensitive information.
At minimum, boards should require consistent briefings on what network security improvements are completed, underway or planned. The same goes for reports on trends and best practices in their specific industry.
Trend Micro’s August report quantifies a spike in cyber attacks during the first half of 2023 with no sign of slowing for the remainder of the year. The disturbing numbers are all the proof directors need to grow their cyber sophistication.
Establish a Cybersecurity Committee
While all directors should have a baseline of cyber knowledge, boards should create a cybersecurity committee like those for corporate governance, compensation or audit.
The committee is charged with assessing the organization’s risk profile and decision-making based on its findings. Its first order of business is ensuring a robust cybersecurity policy with guidelines and requirements that reduce the organization’s vulnerability. Other responsibilities include determining needed resources and overseeing development of incident response plans, including how the organization communicates with customers and stakeholders in the aftermath of an incident.
Committee members should also look at staffing within IT departments. The well-documented cyber workforce shortage exists across all skill levels. Directors are wise to create an organizational culture where cyber is recognized as a top priority, thereby enhancing the recruitment and retention of cyber professionals.
Require Employee Training
Insider threats cause around 60 percent of cyber incidents, according to most estimates. An insider is anyone with authorized access to the organization’s network who compromises that network either through malicious intent or human error.
In just one example, Mailchimp customer accounts were exposed last year after an employee fell prey to a social engineering attack. Mailchimp suffered more reputationally than it did financially, all because of a mistake that could have been prevented through forward-looking cybersecurity training.
According to a June report from Fortinet, an overwhelming majority of leaders say their organization provides cyber hygiene training, but 50 percent say their employees don’t have the cyber knowledge they need. The report suggests current training programs are not as effective or comprehensive as they should be.
The typical IT department is not positioned within their organization to stipulate participation in rigorous, frequent training focused on the latest threats. Governing boards, however, can and should ensure these programs are prioritized and required.
Ask Hard Questions
There’s nothing like requests from directors to motivate action within an organization! Among other questions, they should inquire about network security improvements, cost for the company if fully offline for a day, how cyber threats are detected and what impact recent events in Israel and Gaza have on the organization’s overall risk profile.
Cybersecurity is a board-level priority. Directors who take cyber risk seriously are protecting their company or organization, financially and reputationally.
