Business IT, and information security leaders alike repeat it all of the time: cybersecurity is a board-level issue. Assuming that’s true, and many organizations believe it is, what can the board of directors actually do when it comes to improving cybersecurity efforts?
Most experts agree that one of the most important things boards can do is to set the security tone for the organization.
“The board of directors, led by the CEO, should lead collaboration and security awareness across the enterprise,” says Steve Durbin, managing director at the Information Security Forum. "Senior executives understand that the global economy is still not adequately protected against cyberattacks, despite years of effort and annual spending in the billions.”
In discussions with security managers and CSOs across the country, they emphasized that it is crucial for the board to lead cybersecurity efforts. “The board can help the security team to focus on what matters the most to the business,” says Jay Leek, senior vice president and chief information security officer at Blackstone. “It can set the tone to make sure the organization takes security as seriously as it needs to be and that the required resources are available.”
When the board of directors or top executives are in sync with the efforts of information security teams, policies are developed and assets prioritized to be secured in ways that will best insulate the organization from attack. Otherwise, security becomes too focused on regulatory compliance, and passing the tests of regulators become the objective, rather than blocking and responding to adversaries and successful attacks.
“Because cybersecurity affects the entire organization, it should, without a doubt, require board oversight,” says LLoyd Marino, CEO of strategy and application development firm Avetta Global. “[Yet], while most IT departments and possibly security audit committees are up to speed on risk and risk assessments, most are not concerned with the business vision and matters of innovation, competitiveness, and strategy, all of which are crucial to operational technology and security oversight.”
That creates a disconnect between the actual threats that enterprises face and their ability to meet those risks, explains Monzy Merza, chief security evangelist at Splunk. “Well-intentioned policymakers develop policies to enable organizations to protect themselves,” says Merza, “but implementing policies without focus on critical assets and business requirements only manages to pass audits, rather than stop attackers.”
When it comes to such cybersecurity and risk management decisions, especially when determining the organization’s risk appetite, senior management, the board, and the CEO are the only ones in positions to be able to make that determination, most agree. “Cybersecurity is not one-size-fits-all and is very dependent on the type of organization and the level of risk the organization is willing to accept,” says Eric Cole, fellow and cyber defense lead at the SANS Institute. “All organizations must accept some level of risk and that can only be decided by the board being actively involved in understanding and approving the high level strategic security goals for the organization.”
Sign up for CIO Asia eNewsletters.