Six ways boards can step up support for cyber security

Security is an enterprise-wide risk management concern, not merely an IT issue

With 75% of organisations citing a significant IT security risk exposure, they cannot afford to ignore the growing risk of cyber threats.

Accountability for breaches and incidents now extends far beyond IT, and organisations are beginning to push cyber security responsibility into the hands of the executive team and board.

"As organisations start to escalate cyber security programmes to the board ... shared accountability will be the lynchpin for success," said Ralph Salomon, VP of secure operations at SAP Global Security. "No IT department or CISO can tackle the cyber security challenge in a silo. Board support and culpability will become the norm in the years ahead."

So how can boards step up to the cyber security challenge and work effectively with CISOs?

Expand board expertise

Business leaders are beginning to understand that cyber security is an enterprise-wide risk management concern, not merely an IT issue. While the CISO role is evolving, the makeup of the board is evolving too.

Advertisement - Article continues below

Corporate boards are looking for increased technical literacy and are actively pursuing digital directors and advisors that can deliver high levels of both technical and business acumen.

All board members need to fully understand the role they play in overseeing cybersecurity and push for board-specific reporting and cyber security transparency. This combination increases the board's availability to ask the right questions and provide the right communication opportunities for the CISO.

Build collaborative relationships with the CISO

Executive leaders and board members must be proactive about working hand-in-hand with CISOs to position their companies to withstand the incessant onslaught of attacks. All parties need to work together to ensure clear lines of communication and incident preparation.

Nearly one-third of board members are dissatisfied with the quality of information they get regarding cyber security risk, so CISOs and board members must work together to have meaningful conversations with all parties involved by telling them what information they want and how often they need it.

An open dialogue about current threats, emerging attack patterns and incident response protocol leads to smarter decisions and better business outcomes.

Walk the walk

While many business have developed an incident response function, 30% do not have formal incident response plans in place, and 57% of those who do have a plan admit to never updating or reviewing them, according to RSA.

In addition to showing support for a company's cyber security strategy and initiatives, boards should actively engage the CISO to work with them on other organisational approaches, such as incident response programmes, which need to be continuously reevaluated and updated to address increasing activity in cyber attacks.

Expect security reporting discipline

Security is now a key business function, and should be treated that way. Ensure CISOs know what reporting metrics and benchmarks are valuable to the board by applying a reporting discipline with consistent benchmarks and actionable information.

Although approaches and formats may vary, board members look for regularity in reporting from CISOs. Some look for programme-level updates for defined benchmark presentations where any important changes are highlighted. Boards and CISOs, then, should work together to develop a functional reporting system which can be delivered regularly.

Be clear about your innovation needs

In an industry where every operational change is technology-driven, continual investment in new functions and capabilities to spark innovation is essential. At the same time, there is a balance to be struck between innovation and introducing technology that risk your business effectiveness, and this can create a state of constant security and compliance catch-up.

Advertisement - Article continues below

Business growth may be at the heart of most organisations, but the board is charged with helping to determine the trade-offs between risk and returns. Clearly communicated financial and operational risk tolerance prioritisation from the board and executive team will allow the CISO to effectively manage expectations.

More is better

Where CISOs were once asked to appear at meetings on specific occasions, CISO attendance at regular board meetings is now much more common. Boards should proactively allocate time at board meetings to hear from the CISO and examine future trends and risks as well as more immediate priorities.

"The job of a senior security professional is changing rapidly," noted Securosis analyst and president Mike Rothman. "They need to be able to allay fears by educating executives on the security programme and its objectives, milestones and other aspects of daily security operations."

With a proactive cybersecurity strategy in place that is supported by the board, eight major types of cyber attacks have been reduced by an average of 53%, according to a report by The Economist Intelligence Unit (EIU). These dramatic numbers underscore the critical role the board plays in reinforcing the importance of security throughout an organisation.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now


Policy & legislation

Businesses urged to continue IR35 preparations despite Conservative review pledge

3 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Careers & training

IT manager job description: What does an IT manager do?

28 Oct 2019
Business strategy

CIO job description: What does a CIO do?

1 Oct 2019

Most Popular

Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019
wifi & hotspots

Industrial Wi-Fi 6 trial reveals blistering speeds

5 Dec 2019

Five signs that it’s time to retire IT kit

29 Nov 2019