I’ve seen it time and time again throughout my decades helping enterprises improve their cybersecurity postures: When the Board of Directors (or simply “Board”) isn’t involved, cybersecurity comes up short. Nothing else, not the size of the budget, team, or security stack, has a bigger impact on organizational resilience than the Board does. Cybersecurity starts and stops with them.
This has always been true, but the impacts are felt now more than ever in my experience. Neutralizing today’s aggressive, sophisticated, and destructive cyber attacks takes a tremendous effort that never stops. The smallest mistakes can have massive consequences. Something like cybersecurity, where failure comes with high risks and success comes with high rewards, requires the Board’s attention and prioritization.
Fortunately, they’re willing to pay attention like never before. They’ve seen the chaos hackers can cause, and they know by now how complex cybersecurity resilience can be. Boards want to do something. What they’re still missing is good guidance to help plan and provision for cybersecurity effectively. They need accessible and actionable direction—and they need it now.
I suggest you start here.
What Boards Need to Know
Boards have one responsibility above all: protecting the organization. As the stewards of the organization who hold a fiduciary responsibility, they need to understand which risks to care about, why they should care, and how to have the most impact. Cyber risk is complex and ever changing, though, making it difficult to explain to board members who may need more cybersecurity expertise. Take care to impress these points:
- Cyber risk comes in many forms (attacks, non-compliance, system outages) and comes from many sources (computers, employees, third-parties).
- Managing cyber risk is about proactive measures and preventative defenses. Respond and Recover, while still important, aren’t enough anymore.
- As both a clear and present danger and an existential threat, cyber risk needs to be a top priority where boards take decisive action to prioritize going forward.
What Boards Need to Do
Boards determine what companies care about, first by crafting strategic priorities and second by modeling the culture for everyone else. That’s why Boards make or break cybersecurity—if they’re not involved, it will always be an afterthought. Here’s what that involvement should entail:
- Funding: Best practices suggest allocating at least 20% of the IT budget to cybersecurity. Boards should enforce that threshold and mandate spending on essential practices and technologies like penetration testing, cloud security, and cyber compliance.
- Staffing: Cybersecurity takes leadership at multiple levels to remain effective and agile. Boards should have input (or final say) over who those leaders are and for what risks each one is responsible. Further, Boards need to hold the organization’s executive leadership accountable for the results they desire. This is typically done by tasking the Board’s Audit Subcommittee with oversight, which is a good step. Just make sure the cybersecurity metrics presented by the executive team contain the appropriate level of detail for the Board (hint: this is sometimes easier said than done).
- Oversight: When companies care (or don’t) about cybersecurity, it’s clear. Boards should recognize their impact on the company culture and use it to emphasize the importance of cybersecurity, why it matters for everyone, and how cyber resilience takes a collective effort, starting with the Board itself.
What Boards Need to See – Four Ps
Boards may want to improve cybersecurity, but they have plenty of other issues competing for their attention and engagement. It can take some jockeying to get in front of the Board, at which point it is important to make the right impression so that key messages stick. I’ve seen boards respond favorably to these approaches:
- Person: Pick one person (usually the CISO or CIO) to educate the Board about cybersecurity and the role they play. Having a single “spokesperson” for cybersecurity keeps the message clear and cohesive, and it signals to the Board where to go for more information.
- Perspective: When possible, frame cybersecurity topics in terms of risk reduction and return on investment (ROI)—the language that Boards speak in—rather than focusing on specific attacks and defenses. Boards typically don’t want or need lots of technical jargon when thinking about cybersecurity, but presenters should be prepared to go there, if asked. Keep in mind: cybersecurity metrics can be challenging to present because when everything is working well, nothing happens. Yes, you’re asking for the Board and executive team to approve funding so that nothing happens.
- Plans: Come to the Board with reasonable and actionable cybersecurity plans already established, along with a strong pitch for those plans. Ultimately, Boards want oversight and approval over cybersecurity, but they rely on security experts for the substance and strategy.
- Progress: Organizations should make, and Boards should expect to see, meaningful progress and improvements in the cybersecurity program over time. Cybersecurity success will not happen overnight and is not a “one and done” endeavor. It is embarking on a journey that will persist through the lifecycle of the organization. In order to make meaningful progress, Boards need to ensure the cybersecurity program has adequate resources and backing.
What Boards Really Want
What do Boards want more than anything else? Perfection. However, there is no perfect cybersecurity program, and boards should have a realistic understanding of risk management. Realistic Boards do expect results. They want the agenda they put into action to have the intended effects. When it comes to something dynamic and disruptive like cybersecurity, though, getting what you expect never happens easily.
Help the Board feel confident that cyber risk is under control and trending in the right direction by enlisting the right security partner. Summit Security Group provides advanced cybersecurity services that enterprises can’t, don’t, or won’t handle themselves. Put the pieces in place to make cybersecurity a strength the Board can trust.
Contact our team for help with your Cybersecurity program at the organizational or board level.