Hundreds of millions of dollars are still being lost because of hacks, which suggests that just because an enterprise spends millions doesn’t mean that money is well spent. Ridge said, "If you give board members a place to be able to ask questions about malware, regulators, threats, incident response, and disaster recovery, they can make informed decisions."
The board members have a responsibility to provide efficient and effective governance, but Ridge said, "Not enough attention has been paid to the digital realm and the level of risk."
NACD decided that cyber risk needs to be a part of the boards’ agenda.
Tom Ridge, former US Secretary of Homeland Security
In this online platform, participants are informed about the types of questions they need to ask, and the 20-hour program culminates with their watching a simulation of a cyber crisis.
The catalyst for this CERT, said Ridge, has been NACD because they set the standards for responsible board leadership. "They look at boards of directors, shareholders, regulators and hold them accountable. The goal is to reduce risk to the business. NACD decided that cyber risk needs to be a part of the boards’ agenda," Ridge said.
Peter Gleason, CEO of NACD, said the digital world is a very rapidly changing environment as it pertains to cybersecurity. "Most board members are not technologists themselves. They may understand the risks, but they may not be as comfortable with the lexicon and key issues. That’s where the whole uncomfortableness comes from," Gleason said.
For those who haven't had the in-depth training around technology issues, playing catch up seems like a formidable task given that even if they learned the technology now, two years from now, it may not be relevant.
The roles of everyone from the CISO or the CTO to the directors have also evolved because of a need for a common language. "When the CISO or CTO is talking about the steps a company has taken in technology to secure key assets, they tend to speak a different language than most people speak," Gleason said.
The language of risk is becoming more common across all facets of the enterprise so that the conversations are not about why they are using an application in this fashion. Gleason said, "Unless you’re steeped in that, you don’t know whether 6 million or 3 million is the right answer."
Risk-centric conversations are morphing the language of technology and attacks in a way that is comprehensible for different players across the field. Understanding the risks of cybersecurity means understanding how technology changes risk so that everyone knows how the enterprise is securing its assets.
"The board members oversee the management of the organization," said Gleason. "Because cybersecurity is a relatively new field, they may not know the right questions to ask. That's why the beginning section of the course is designed around cybersecurity."
Sign up for CIO Asia eNewsletters.