In this cybersecurity guide for board directors we examine the rising costs of cyber crimes. We look at some high profile cyberattack case studies and we detail the type of questions board members should ask their organisation’s IT executives.
There was a time when boards of directors would meet once or twice a year for cybersecurity briefings, check the box, and move on. It was mostly an exercise to ensure compliance and ultimately little more than an afterthought. As the board had little technical understanding, many were happy to throw money at the problem and let IT professionals deal with it.
The world has changed over the past few years, and some of the most substantial changes are only now taking place. The fact is, increasingly sophisticated cybercriminals pose a threat to society.
Despite wanting to focus on cybersecurity, many board members may feel entirely baffled by it. Often, they don’t have the background to talk confidently about cybersecurity or don’t have the time to study it, which is fine, as long as the board understands its role in cybersecurity.
The board should not be passive regarding cybersecurity, merely waiting to review reports and hear how things are going. A board’s primary responsibility is to set the organisation’s security strategy, and it is the responsibility of the head of IT to implement it.
Your job, as a director, is to determine what essential areas need to be defended. The board must decide its top priorities, whether they are related to intellectual property, customer data, trade secrets, or financial transactions.
There are many questions the board and its directors can and should ask the head of IT. There is one primary question when it comes to cybersecurity: “Are we taking the right actions to reduce risk?”
Poor security can cause reputational damage, lost business, and even affect share prices.
Questions directors can ask at board meetings:
- What is your assessment of where we are now?
- How do we benchmark against others in our industry or peer group?
- What are the KPIs we should examine?
- How do those security KPIs correlate to business outcomes?
- What should we be doing differently to meet those KPIs?