Concerns over cybersecurity have been intensifying over the past decade. Data from our “What Directors Think” survey conducted in 2012 showed only 23 percent of directors were highly concerned over a potential breach—the same proportion considered it a “low” concern. Similarly, only 37 percent of board members surveyed that year placed cyber risk among the most pressing agenda topics for their next board meeting.
Five years later, 61 percent of directors reported, in our 2017 “What Directors Think” survey, that their CISO/CIO were regularly discussing cybersecurity “at length” with the board, and 53 percent said they regularly brought in consultants to guide them further on the issue—a clear indication that the issue was gaining prominence in the boardroom, perhaps a consequence of the explosion of phishing attacks at large companies, including Equifax, Uber and Yahoo!.
Today, directors rank cybersecurity first on the list of difficult issues to oversee—up from third place just a year ago. In fact, three-quarters of directors now say they are more concerned that their company will confront a cybersecurity/data breach crisis than any other crisis.
“[Cybersecurity] is a topic in every board meeting,” said Robert Shapiro, a director of the board of Overstock.com and a former advisor to top White House officials, including President Bill Clinton, Vice President Al Gore and Secretary of State Hillary Clinton.
Heightened awareness of the need for a multifaceted cybersecurity strategy is fueling the sense of urgency, he explains. “Most people focus on preventing attacks. Well, you can’t prevent all attacks. What you need to focus on is not as much prevention or protection as resilience, how quickly you get back up…. Anybody can be taken down, but the question is, can you get back up in 15 or 30 or 60 minutes—or a catastrophic two or three days?”
The pandemic didn’t help things along either. With a more distributed workforce, the risks of breaches and ransomware attacks have grown exponentially. FireEye’s 2021 M-Trends report, for instance, shows there were twice as many ransomware attacks in 2020 as in 2019, and 2019 was already the highest year on record.
The burden to safeguard the company’s most sensitive data rests squarely on leadership teams. Boards must remain vigilant and continuously address the issue with management, particularly as market dynamics continue to shift.
According to the 400 directors surveyed as part of our 2022 edition of the research, conducted in partnership with Diligent Institute, the focus must shift from prevention to resiliency, as companies come to understand that a cyber incident is no longer a question of “if” but “when”. Therefore, directors agree that the best cybersecurity plan must elaborate on how quickly a company can identify a breach, limit its damages and recover from it.
“Boards just need to continue to say, ‘Okay, what’s new in this arena? What are we likely to see next? And how can we best look around the corner and try to position ourselves to defend effectively against it?” said John Hayden, a member of the board of E. W. Scripps Co. and Tiberius Acquisition Corporation.
Here are other questions to consider for your next board discussion:
- Does the board receive regular updates from internal risk, compliance, data security and data privacy teams—those well-versed in cybersecurity and data protection? Are these teams communicating effectively with the board?
- Are the teams within your organization that oversee cyber risk properly empowered to carry out their duties?
- Does the board set the right tone at the top about the importance of cybersecurity and digital transformation? How is the board holding senior management accountable on these issues?
- Is the board up-to-date and conversant on cybersecurity and digital transformation trends? If not, what sources or materials could help them stay current?