How Boards Can Increase Engagement On Cybersecurity

David Martin, cybersecurity expert
David Martin

Boards can no longer relegate cybersecurity to the IT department—but how exactly do they get engaged with people on the frontlines?

To get some clarity, Corporate Board Member talked with David X. Martin, author of The Nature of Risk and co-chair of The Directors and Chief Risk Officers Group. Martin talked with us about how boards can make cybersecurity not just something they check the box on, but a strategic advantage. He also talked about a few steps boards can take to increase their level engagement around cybersecurity.

Below is an excerpt this conversation.

How can boards help make cybersecurity a strategic advantage for their organization? 

Companies need to factor cybersecurity into new product offerings.  Tighter communication and collaboration between business partners and customers will be facilitated through advances in access management / federation. New solutions will be developed for better web access management, federated identity, social and mobile support and adaptive authentication. These new solutions will need to be incorporated into how new products reach and are used by customers.

Even further, as integrated enterprises extend further beyond the perimeter of the organization itself—security will become even more important. In the world of the Internet of Things, there are few competitive advantages more critical than trust. Excellence in cybersecurity will become a strategic competitive advantage

What are a few of the steps boards can take to increase their level of engagement around cybersecurity?

The specific needs of any effective cyber program include careful planning, smart delegation, and a system for monitoring compliance — all of which Directors should oversee. It’s no longer a question of whether a company will be attacked but more a question of when this will happen — and how the organization is going to prevent it. Smart network surveillance, early warning indicators, multiple layers of defense, and lessons from past events are all critical components of true cyber resilience. When things go wrong, whether in a major or minor way, the ability to quickly identify and respond to a problem will determine the company’s ultimate recovery.

Cybersecurity cannot be guaranteed, but a timely and appropriate reaction can.

Longer term, the Board should understand and consider the strategic business implications of cybersecurity, foster the right company culture surrounding security, and encourage the integration of cyber risk management practices into other governance and approval processes. In essence, the Board should consider cybersecurity as a managerial issue, not just as a technical one.

What are a few KPIs that can help you better understand if you’re truly winning the cybersecurity war?

Key performance indicators for cyber security are usually highly technical and often not related to what is important to the business. An example of good metrics for the Board should be some type of balanced scorecard that includes: customer satisfaction (customer system downtime caused by information security [IS] incidents), reputation (number of IS incidents reported in the media), financial (IS budget as a percentage of IT budget), strategy (IS maturity level: 0 – 4 vs industry average of 2.2), and brand protection (average time required to take down fraudulent websites).

Overtime, the company should build its own immune system to better understand if it’s truly winning the cybersecurity war.  The human immune system provides a useful analogy. When a germ breaches the body’s natural barriers, the immune system mounts a three-step defense: sound the alarm, solve the problem, then recover and remember. The effectiveness of an organization’s cyber security defense, like that of the immune system, depends on each component fulfilling its role. Sound the alarm-constant surveillance is critical, with early warning indicators and multiple layers of defense. There should also be an effective, constructive challenge function—so that no single individual has sole responsibility. Solve the problem. Corporations must manage cyber security, at the enterprise level and not treat it as just a technology issue. Recover and remember- When things go wrong, it is important to learn from your mistakes.  The company’s cyber resilience program should bring the areas of information security, business continuity and organizational resilience together.

Read more: Uber’s First Ever Chief Privacy Officer Talks Privacy-by-Design