Cybersecurity governance requires improvement, according to a survey on boards

Cybersecurity governance requires improvement, according to a survey on boards

In today's digital age, board directors are finding themselves increasingly responsible for a company's cybersecurity shortcomings, with both personal and professional liability at stake. As a result, it is crucial that they understand the risks and take proactive measures to mitigate them.

One of the key steps in this direction is for the Chief Information Security Officer (CISO) to report higher up in the organization, enabling them to consult on cybersecurity and technology disclosures. Elevating the CISO to the executive team allows them to regularly report to the board and answer questions, enhancing transparency and accountability.

Rob Clyde, an experienced board director, emphasizes the importance of every board member being proficient in cyber matters. They should be able to ask questions and participate in the dialogue, ensuring that cybersecurity is not overlooked or misunderstood.

The CISO has a significant role in board cyber readiness. They should respond to questions around what the board should know and do regarding any cyber deficiencies that come up in the IT audit. This includes explaining how they advise other business units on cyber-related risks, a skill that modern CISOs need to master.

Unfortunately, many organizations still have the CISO reporting to the CIO, CTO, or CFO. This can lead to a lack of board-level focus on cybersecurity. To address this, the CISO needs to be seen as a strategic partner, not just a technical expert.

A joint Corporate Governance Institute and Board Intelligence survey found that nearly 60% of respondents have not received sufficient training on cyber resilience in the last 12 months. This lack of board cybersecurity education can lead to board members failing to ask hard questions about cybersecurity to management.

To combat this, board directors can engage in dedicated cybersecurity education programs tailored for business leaders. These programs offer executive courses that focus on emerging cyber threats, the legal and reputational impacts of breaches, and fostering a security-first culture across the organization.

Directors should also familiarize themselves with industry-standard cybersecurity frameworks like ISO 27000 series or NIST Cybersecurity Framework (CSF). These provide structured processes and benchmarks to assess and discuss their organization's security posture relative to peers.

Other ways directors can enhance their understanding include participating in targeted cybersecurity awareness campaigns and training, collaborating closely with CISOs, promoting the use of threat modeling techniques, and supporting organizational efforts to build a culture of cyber readiness.

The Securities and Exchange Commission has introduced cyber disclosure rules, highlighting the potential penalties for cyber incidents. A lack of cyber awareness can lead to insufficient disclosures, which can result in investigations and lawsuits. With the risk of cyber threats targeting businesses increasing, it is essential that board directors take their cybersecurity responsibilities seriously.

The chief audit executive also has a role in ensuring there's an external audit for the organization that encompasses an IT audit. Corporate stakeholders want to better understand the risk calculus of their technology stacks, to determine if they are a potential target.

In conclusion, developing cybersecurity knowledge at the board level requires a combination of formal education, practical frameworks for risk assessment, ongoing collaboration with cybersecurity professionals, and exposure to real-world threat prioritization and mitigation strategies. This comprehensive approach empowers directors to make informed decisions, better respond to incidents, and support cyber risk management as a shared organizational responsibility. Boards are encouraged to invest in ongoing continuing education for board directors and set aside a certain amount of money for it.

1. Beyond the CISO's role in board cyber readiness, it is also crucial for board directors to acquire cybersecurity knowledge through dedicated education programs designed for business leaders, which focus on emerging cyber threats, the legal and reputational impacts of breaches, and fostering a security-first culture.
2. In order to address the common issue of the CISO reporting to the CIO, CTO, or CFO, leading to a lack of board-level focus on cybersecurity, the CISO needs to be seen as a strategic partner, not just a technical expert, and directors can collaborate closely with CISOs to achieve this.
3. To ensure that board members are adequately prepared to ask hard questions about cybersecurity, they should familiarize themselves with industry-standard cybersecurity frameworks like ISO 27000 series or NIST Cybersecurity Framework (CSF), which provide structured processes and benchmarks to assess and discuss their organization's security posture relative to peers.

Read also: