Six ways boards can step up support for cyber security

Security is an enterprise-wide risk management concern, not merely an IT issue

For organisations both large and small, cyber attacks are a constant concern, with a recent study revealing that 68% of business leaders feeling like their risks are increasing. Accountability for breaches and incidents now extends far beyond IT, and organisations are beginning to push cyber security responsibility into the hands of the executive team and board.

Advertisement - Article continues below

Business leaders don't want to be making headlines for being the latest victim of a data breach, and as a result, are actively trying to manage risk. Cyber threats represent the lion's share of potential harm, and strategies to deal with security need to be aligned with wider business priorities. A survey by the Enterprise Strategy Group showed that four in 10 executives and directors now want security status reports for cyber risk associated with end-to-end business processes.

So how can boards step up to the cyber security challenge and work effectively with CISOs?

Expand board expertise

Business leaders are beginning to understand that cyber security is an enterprise-wide risk management concern, not merely an IT issue. While the CISO role is evolving, the makeup of the board is evolving too.

Corporate boards are looking for increased technical literacy and are actively pursuing digital directors and advisors that can deliver high levels of both technical and business acumen.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

All board members need to fully understand the role they play in overseeing cybersecurity and push for board-specific reporting and cyber security transparency. This combination increases the board's availability to ask the right questions and provide the right communication opportunities for the CISO.

Build collaborative relationships with the CISO

Executive leaders and board members must be proactive about working hand-in-hand with CISOs to position their companies to withstand the incessant onslaught of attacks. All parties need to work together to ensure clear lines of communication and incident preparation.

Related Resource

Four cybersecurity essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Nearly one-third of board members are dissatisfied with the quality of information they get regarding cyber security risk, so CISOs and board members must work together to have meaningful conversations with all parties involved by telling them what information they want and how often they need it.

An open dialogue about current threats, emerging attack patterns and incident response protocol leads to smarter decisions and better business outcomes.

Walk the walk

While many businesses have developed cyber security strategies and business continuity plans, the government's Cyber Governance Health Check showed that less than a fifth (16%) of the board had a comprehensive understanding of the impact of loss or disruption associated with cyber threats. That's despite 96% of them having a cyber security strategy in place.

In addition to showing support for a company's cyber security strategy and initiatives, boards should actively engage the CISO to work with them on other organisational approaches, such as incident response programmes, which need to be continuously reevaluated and updated to address increasing activity in cyber attacks.

Expect security reporting discipline

Security is now a key business function and should be treated that way. It is vital to ensure CISOs know what reporting metrics and benchmarks are valuable to the board by applying a reporting discipline with consistent benchmarks and actionable information.

Advertisement - Article continues below

Although approaches and formats may vary, board members look for regularity in reporting from CISOs. Some look for programme-level updates for defined benchmark presentations where any important changes are highlighted. Boards and CISOs, then, should work together to develop a functional reporting system which can be delivered regularly.

Be clear about your innovation needs

In an industry where every operational change is technology-driven, continual investment in new functions and capabilities to spark innovation is essential. At the same time, there is a balance to be struck between innovation and introducing technology that risks your business effectiveness, and this can create a state of constant security and compliance catch-up.

Business growth may be at the heart of most organisations, but the board is charged with helping to determine the trade-offs between risk and returns. Clearly communicated financial and operational risk tolerance prioritisation from the board and executive team will allow the CISO to effectively manage expectations.

More is better

Where CISOs were once asked to appear at meetings on specific occasions, CISO attendance at regular board meetings is now much more common. Boards should proactively allocate time at board meetings to hear from the CISO and examine future trends and risks as well as more immediate priorities.

Related Resource

Four cybersecurity essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

"Cyber security is a mainstream business risk, and board members need to understand it in the same way they understand financial or health and safety risks," said Ciaran Martin, CEO of the NCSC.

Advertisement - Article continues below

As cyber threats continue to evolve, it may not be possible to completely eliminate the possibility of falling victim to an attack. But with a proactive cybersecurity strategy in place that is supported by the board, research has shown that financial losses in the event of a successful attack are lower.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
Visit/security/cyber-security/355368/microsoft-builds-ai-to-detect-security-flaws-with-99-accuracy
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020
Visit/security/vulnerability/355276/businesses-brace-for-second-fujiwhara-effect-of-2020-as-patch-tuesday
vulnerability

Businesses brace for second 'Fujiwhara effect' of 2020 as Patch Tuesday looms

9 Apr 2020

Most Popular

Visit/infrastructure/network-internet/355792/intel-releases-wi-fi-and-bluetooth-driver-updates-for
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020
Visit/infrastructure/server-storage/355785/dell-emc-poweredge-r7525-review-an-epyc-core-density-to-make
Server & storage

Dell EMC PowerEdge R7525 review: An EPYC core density to make Intel weep

26 May 2020
Visit/operating-systems/microsoft-windows/355781/microsoft-confirms-further-issues-with-troublesome
Microsoft Windows

Microsoft's latest Windows 10 update is causing yet more issues

26 May 2020