Boards Should Take Responsibility for Cybersecurity. Here’s How to Do It

nov17-17-657415326-CliqueImages

With news of data breaches, ransomware attacks, and zero-day vulnerabilities making headlines, cybersecurity is likely appearing even more frequently on the agenda in many board meetings. After all, no company wants to become the next brand on the front page of the Wall Street Journal or have their executives testify in front of Congress.

But while cybersecurity is now on the agenda at board meetings, this doesn’t mean that board members understand how to tackle the issue. After all, most board members have expertise in other forms of risk, and not in how to protect corporate assets from nation-state attackers and highly organized cyber adversaries.

The good news is that there are several practical steps directors can take to protect their organizations that don’t require deep cyber expertise:

Help the executives in charge of information security understand the business. While security executives have a reputation for stymieing operations and product development with the burdens of technical operations, their role is actually to enable business. Their job, in fact, depends on it. By including them in discussions about immediate and long-term business priorities, customer issues, and overall strategies, directors can ensure that the company’s security plan aligns with the company’s business goals.

Ideally, security executives should attend board meetings in the same way that a chief financial officer would. Failing that, they should at least be briefed by the board on the organization’s projects and should have a chance to respond with functional plans to support the company’s top priorities.

When meeting with security leaders, directors should ask how their cybersecurity plan will help the company meet one or some of these objectives: revenue, cost, margin, customer satisfaction, employee efficiency, or strategy. While these terms are familiar to board members and business executives, security leaders may need guidance on how to frame their department’s duties in the context of business operations.

Make sure that security is included in discussions on new products and services. Security is often tacked on at the end, or, even worse, after a flaw is discovered in a product that’s already being sold. Incorporating security in the early stages of product development results in safer, more secure offerings and can spare companies the expense, hassle, and potential public embarrassment that accompanies retrofitting security.

Continue reading…