How Boards Can Boost Their Cyber IQ

Every member of the board has some level of accountability for knowing what constitutes cyber risk and how to best manage it. Fortunately, resources abound.

In 2018, the financial impact of cybercrime exceeded $45 billion. As risk levels only continue to rise, organizations are scrambling to protect their digital assets—spending more money and deploying more security controls. The stakes have never been higher for business and technology leaders.

We’re also seeing a growing need for more cyber aware executives and board members with an increasing expectation that board members bring a level of cyber awareness and competence to their roles. But developing an acute cyber awareness is sometimes easier said than done—notably for those without a deep technology background.


2020 Private Company Comp Report

Cyber Beyond Security: Is Your Board Ready?
CBM’s 2020 Cyber Risk Board Forum is the most effective, efficient cyber education program available for directors, a day of intimate, interactive learning from world-class experts at Adobe, Equifax, Comcast, Docusign and more. Keynote: Richard Clarke, Fmr. Nat. Security Coordinator and bestselling author of The Fifth Domain. Learn more.
Feb. 24, 2020 | Fairmount Hotel | San Francisco, CA | In Partnership With RSA Conference

 

The good news is that, for individual board members looking to “raise their cyber game,” there is a continuously expanding ecosystem of resources, frameworks and educational opportunities at their disposal. Board members can also turn to experts for both internal and external guidance, just as they would with their CFO or auditor.

Below, I outlined some guiding principles to keep in mind as you both address the cyber makeup of your board and look to elevate board-level cyber awareness overall.

Not Every Belt Needs to Be a Black Belt

Should you seek out security experts to deepen your cyber bench? Certainly this should be a part of your board roadmap. But, even with experts in place, every member of the board has some level of accountability for knowing what constitutes risk and how to best manage that risk. Cyber risk should not reside solely in the purview of the “black belts.”

Fortunately, resources are emerging to help board directors get up to speed. Formal education is available through courses such as MIT’s Cybersecurity Leadership for Non-Technical Executives, which “provides leaders and managers (non-CISOs) with frameworks and best practices for managing cybersecurity-related risk.” A variety of certification programs are also now offered by Stanford’s Center for Professional Development, Carnegie Mellon, NACD and others.

Look Both Inside and Outside

As the risk landscape expands, so too does the ecosystem of resources that boards have access to—both within and outside of the organization. Boards should hear from security leadership frequently. Just as the board communicates regularly with the CFO and relies on auditors to independently assess financial controls, the same scenario needs to play out with regard to cyber controls and the CISO-board relationship.

But internal experts like CIOs and CISOs should not be the single source of information and guidance for the board. The cadence and scope of external assessments may vary, but they are a critical tool for a board’s cyber evaluations.

Tapping into the rapidly-maturing ecosystem of external tools and resources can also give board members a way to measure against industry benchmarks and absorb diverse perspectives. These could include:

• Industry scorecards and frameworks: There are a number of industry organizations that provide benchmarking data, testing options and detailed security frameworks. These not only help companies meet compliance and regulatory requirements, but can also serve as educational resources. The National Institute of Standards and Technology (NIST), for example, offers a cybersecurity scorecard to benchmark against and the ability to cross-reference internal data with industry standards. These frameworks also come with a deep pool of consultants and experts to help run standard tests, like SOC2, to help companies understand how they stack up. The kinds of tests that make sense for your enterprise are heavily influenced by industry, size, and structure.

• Financial and legal experts: Because financial, legal and cyber risk are interconnected, existing business partners such as auditors or outside counsel can serve as valuable sources of guidance. Tap into their network and knowledge base to identify new and innovative solutions, better understand risk management best practices and stay on top of emerging requirements.

The professional development of your board members and their prioritization of a reliance on outside expertise, industry scorecards and frameworks will be a big step in the right direction. By addressing both your board members and the way they operate, your board can make significant shifts in the resiliency of your organization’s security strategies.