Forget Cybersecurity

It’s no longer a question of whether a company will experience an attack, but when. Security is about hunkering down, while resilience means being able to operate after a breach. Here's what directors need to know.

Over the course of my career, I’ve had the honor of sitting on the boards of nine public companies and more than 70 private companies. In my experience, the number one responsibility of any board member is to use your best business judgement to further the cause of the company. Part of this best business judgement, of course, is managing for risk, which can include everything from losing key personnel to not having adequate insurance policies in place.

Another category of risk that has grown dramatically in the past decade is cyber risk. Cyber risk is a direct result of the fact that everything in business is now connected digitally. The attack surface isn’t just your front door and back door, it’s the ever-expanding number of entry points to your network.

Cyber risk is a board-level issue because a breach can crush a company’s stock price, tarnish its reputation and scare off customers and partners. A study by the Ponemon Institute revealed that a company’s stock price drops an average of 5 percent immediately after a breach is exposed. The study further found that companies lose an average of $3.92 million in revenue and a significant portion of their customers after a breach.


2020 Private Company Comp Report

Cyber Beyond Security: Is Your Board Ready?
CBM’s 2020 Cyber Risk Board Forum is the most effective, efficient cyber education program available for directors, a day of intimate, interactive learning from world-class experts at Adobe, Equifax, Comcast, Docusign and more. Keynote speaker: Richard Clarke, Fmr. National Security Coordinator and bestselling author of The Fifth Domain. Learn more.
Feb. 24, 2020 | Fairmount Hotel | San Francisco, CA | In Partnership With RSA Conference

 

If that doesn’t grab the attention of board members, it should. And it should spur them to educate themselves about the urgent threat of cyber risk and the cybersecurity measures necessary to minimize that risk.

In the old days (several years ago), cybersecurity was all about detecting and protecting. But these days, strong cybersecurity means much more than prevention. It means resilience: the ability to fend off a cyberattack and emerge relatively unscathed. Because it’s no longer a question of if a company will experience an attack but when. Security is about hunkering down. Resilience is about continuing to operate after a breach.

Board members are not required to grasp all the ins and outs of cybersecurity. They don’t need to be cyber experts, they don’t need to be conversant in the latest cyber technologies. But they do need to understand the magnitude of cyber risk today and what their companies are doing about it.

For starters, board members should be able to assess their organization’s digital resilience and measure its degree of preparedness for an attack. Well-operated organizations measure their preparedness regularly and assign themselves a digital-resilience score. A high score means that the organization has a good chance of withstanding a cyberattack and incurring limited damage. A low score means that the organization has some gaps in its network awareness, making it more vulnerable to a devastating attack.

Board members should know the score. They should monitor their organization’s cyber preparedness and watch to see if its digital-resilience score is trending better or worse. When a score dips, board members should ask for an explanation and press for weak spots to be addressed.

If a company does not already have a committee that monitors cyber risk and the people who are accountable for it, board members should advocate for the creation of such a committee. This committee should be similar to an audit committee but one that focuses on cyber risk. And it should work continuously. It can’t simply meet a couple times a year to evaluate the company’s cyber posture. The cyber threat landscape evolves daily, so the cyber committee must be an active body. It must be alert to new threats and ensure that the organization is prepared to protect itself at all times.

Board members can join this effort. They can monitor cyber diligence and make sure their company is conducting regular cyber-diligence assessments. These assessments should examine all network vulnerabilities and estimate the scope of damage that might occur in the event of a breach. They should appraise current capabilities and measure the company’s ability to defend itself against cyber threats.

A digital network is like an office building. If for some reason the building catches fire, you need to quickly respond to the incident and stop the blaze before it causes large-scale damage. That’s called resilience.

Board members need to embrace the concept of digital resilience and understand that if their company is attacked, that attack does not necessarily have to expand into a full-blown breach. With a security approach built around digital resilience, a company can prevent breaches and all the downstream problems that come with them, including loss of customer trust, plummeting stock price and millions of dollars in remediation fees and regulatory fines.

A company that is digitally resilient is a company that consumers want to do business with, employees want to work for and investors want to champion. That’s not just resilience—that’s success.