Trending Oversight Topics
Governance Surveys
Center for Inclusive Governance
Three Steps to Get to Better Cybersecurity
02/08/2024
Cybersecurity is a key topic for boards, from exercising oversight to defining strategy, that both take into account the US Securities and Exchange Commission’s (SEC) regulations and up-to-date risk management. In reality, though, boards have overlooked this issue for too long. Getting started requires diligence and asking relevant questions.
While technologies are ever-changing, and doing so at an accelerating pace, many risk management fundamentals also apply to cybersecurity. Even if there is no cybersecurity expertise on the board, it is essential to get started.
Below are three easy ways to embark on this journey.
Review Your Communication Plans
Murphy’s law famously states, “Anything that can go wrong will go wrong and at the worst possible time.” Thus, the best way to engage with cybersecurity at the board level is to assume that something will go wrong. While management will handle mitigating the problem, oversight, communications, and regulatory filings should flow through the board. Testing and reviewing a communication plan for breaches and other potential incidents is an easy way to handle the learning curve, and it will help prepare the board to do its job in a worst-case scenario.
It also helps shine a light on problems in this domain and discover the company's preparedness level. If the communication plan around a cybersecurity incident isn't clear, notifications are missing, or the latest update to the plan happened years ago, the underlying issues will most likely permeate the rest of the organization.
Consequently, starting with the board's domain and then progressing outward works in everyone's favor. It allows the board to establish an actionable and relevant starting point while everyone else can ease into the broader topic of company-wide risk management.
Run Tabletop Exercises
Once the board’s plans are in place, it’s time to test them against real-world scenarios. Tabletop exercises are a proven way to do so. They take the past year's incidents, preferably from competitors of similar size, and apply them to one’s own organization. Running through such scenarios will unearth shortcomings across all departments and will illustrate the interconnection between information technology (IT), security, marketing, management, and the board.
For board members participating in the exercise, it provides a great learning opportunity. It also gives them valuable insights into the world of technology and lets them establish a direct connection with the people working at the front lines of cybersecurity in their organization.
Given the often secluded nature of the IT department, those exercises are also a welcome opportunity to not only observe but strengthen interdepartmental communication. Running through real-world threat scenarios creates awareness of the work done by other departments in the company and elevates other team members from "the people in the office down the hall" to actual human beings.
Lastly, these exercises are also a great way to help with talent management and the talent pipeline. First, they bring out hidden leaders who might benefit from mentoring and preparing them for promotions. Second, exercises will surface relevant employees that the human resources (HR) department hasn't identified beforehand and reveal any shortcomings of the company’s talent management system that need to be addressed. Third, tabletop drills provide a break from routine and offer some entertainment value to everyone involved. As such, they strengthen the connection between the company and its top talent.
Invest in Strategic Planning
Being prepared to take the right actions if something goes wrong is only half the battle. It is equally important to pay attention to cybersecurity strategies early in the strategic planning process. There are three crucial questions board members should ask their IT and HR departments.
- What assets do we need to protect? Intellectual property, customer data, and financial assets are the three most obvious categories that should come to mind. However, other business information—from supplier contacts to employee performance data—is just as valuable. As with many risks, asking IT which departments would stop working if something was lost or stolen is an excellent way to get an initial overview of the different systems and their assets.
- Who would want to steal it? We tend to think of cybercriminals as the bad actors. However, industrial espionage is another significant consideration. The risk of state-sponsored attacks shouldn't be discounted, especially with the current trade war between the United States and China heating up. Espionage, though, has significantly different risk profiles and calls for other countermeasures than crude monetary-focused ransomware attacks.
- What must be done to prevent bad actors from reaching their target? With most cyberattacks involving a human component, the question should first be put to the HR department so that it can review computer policies and training standards. Once HR has explained its view of the threat landscape, cybersecurity and IT can offer their vision of a secure environment.
Once all three stakeholders have explained their ideas for a unified strategy, look at the answers to questions one and two again. Is there any combination of factors and procedures that is missing? Are there any assets or parts of the infrastructure that are not protected? Are there any inconsistencies? If no unanswered questions stand out, these deliberations might produce an excellent, first company-wide cybersecurity strategy.
Continued Review and Learning
The attacks by Iran-affiliated groups against US water suppliers in the wake of the 2023 Gaza war have shown that threats are constantly evolving. As with any corporate risk, management should continuously monitor the risks and adjust its strategies. Likewise, the board should act on its oversight function and monitor the risks and mitigation strategies management proposes.
Criminals will not wait to carry out attacks and enforcement agencies will not wait to tighten regulations. It is the board’s responsibility to act on cybersecurity measures and to always keep an eye on the latest government mandates.
Kevin Korte, NACD.DC, is president of Univention North America. He currently serves on the boards of mPathAI, The Backpackster, and Market Intent.