Why You Need a Cyber Expert on Your Board of Directors
Cybersecurity has been a business risk for decades. The board of directors (BoD) has a responsibility to help manage that risk, but most BoDs don’t even have a cyber expert.
Why not?
Great question. Let’s dive in.
Emerging cybersecurity risks
Cyber threats aren’t new, but serious attention to them is. In 2013, Target suffered a data breach when cyber criminals hacked a third-party refrigeration contractor. Then Yahoo suffered a series of data breaches that compromised over three billion accounts.
After that, large organizations, especially consumer brands, got serious about cybercrime. These days, it’s much harder to hack big companies — they’re locked down with multiple levels of enterprise-grade security. Wouldn’t it be great if that meant the end of cyber risk for everyone?
Unfortunately, it doesn’t work that way. If you’re a business with a bank account, you’re a target. In the United States, there are millions of them, and the numbers grow every day. If bad actors find it difficult to strike gold by breaching brand names, they’ll happily shop around for new victims.
Why the BoD needs to know about cybersecurity
If you’re on a BoD, do you know whether your company’s cybersecurity measures adhere to modern principles like the zero trust model? Whatever happened with the CISO (Chief Information Security Officer) reporting to the CEO and presenting at your board meetings? Did funding for their security team ever get approved?
These are important questions, but they’re only scratching the surface. What do you make of the rise in ransomware attacks and the need for a global solution? Is your company able to prepare a cyber risk report for regulators?
Recently, the SEC proposed an action to improve cyber risk strategy, management, and incident reporting for public companies. The proposed rule is 129 pages long and, among other things, requires organizations to report cybersecurity incidents, provide updates on them, and:
Explain how you identify and manage cybersecurity risks
Explain your cybersecurity policies and procedures
Explain how you implement them
Explain how management assesses and manages cybersecurity risk
Explain its cybersecurity expertise
AND … this is where the board comes in:
Explain how the BoD provides cybersecurity risk oversight
Explain the BoD cybersecurity expertise
Can your company handle this? Aside from complying with the possible regulatory requirements we just mentioned, let’s focus on how having a cyber guru on the board can help the company.
How a cyber expert on the BoD helps protect your company
With a cybersecurity expert on your BoD, your company can be more proactive about cybersecurity. Your expert will advocate for intelligent cybersecurity countermeasures at the most basic level by highlighting critical details others miss or don’t even notice. They will also:
Prove to be indispensable when there's a cyber issue. Often, a BoD takes a while to understand the problem. An expert will grasp it immediately. They can explain it to fellow board members and start guiding the executive team.
Assist in up-leveling the company’s collective security posture. Suppose your BoD has the cyber chops to help your CEO navigate the evolving threat landscape. In that case, your business can get ahead of the next attack with strategic risk management for today, tomorrow, and the future. Without that added expertise, you might continuously play catchup, which is a risk in itself.
But remember, not all cybersecurity expertise is equal. There’s a difference between technical and strategic expertise. A cyber expert on your board should have both, emphasizing the latter. They should be fluent in cyber terminology and concepts to have productive conversations with your CISO.
Provide essential strategic cyber guidance to executives when dealing with complex cyber operations. Executives must consider company actions and any ramifications that may result. What if efforts that seem promising in the short-term backfire from otherwise unforeseen cyber exposure? Imagine in 2021 (a year before the Russian-Ukrainian war), your CEO was considering moving your Eastern European cloud storage operations to a company in Russia as a cost-saving measure. Your BoD cyber expert could have raised the political issues with such a move (given Russia's tight control of commerce and organizations operating within their borders) and provided other cost-effective alternatives. Your cyber expert can help protect your company from these looming yet hidden threats.
How the BoD can help deter cybersecurity threats
Can a cyber expert on the BoD actually help deter threats if they’re so far removed from daily business operations? Yes, but let’s explain why.
It’s true that companies need cybersecurity solutions because systems develop vulnerabilities. But it’s not true that endless software patches are all you need to stay safe.
No system, computer or otherwise, can be 100% healthy forever. That would be like saying a person can never get sick, not even develop a slight cough in old age! In that sense, software is like the human body — it eventually breaks down (more so without proper upkeep).
When a cyber breakdown occurs — when a technical solution inevitably fails — how deep are your defenses? How prepared are your employees? How ready is your entire organization to come together to mitigate the damage? When you get these parts correct, you drastically decrease the likelihood of a catastrophe.
But you can’t do that by flicking a switch. You need a coordinated effort from the top of the company — the Board of Directors. When a cyber expert is on the BoD, your company can lead with cyber expertise, thus creating company-wide conditions for the strongest possible cybersecurity.
What does this look like in practice? Let’s check out two quick examples:
Scenario A: Phishing attempt thwarted
One morning after New Year’s, everyone in your organization receives an email to reset their password. A few employees open the message. It looks normal … sort of … but the whole thing feels weird. Didn’t mandatory password resets happen last month?
An employee looks closer at the sender’s address, where the company name is misspelled. They immediately press the phishing button. An IT automated response triggers a support specialist to review the incident within seconds. They start a series of protocols to neutralize the threat, notify their manager, and begin an investigation.
This was a phishing attempt that could have ended in disaster. Instead, everyone was relatively alert and responsive. Why?
Because all last year, the employees had a fun cybersecurity awareness training program. IT always wanted to do it, but they couldn’t get buy-in until a new BoD member with cybersecurity expertise helped the CISO persuade the CEO to make the investment.
Good thing — later that week, their biggest competitor wasn’t as prepared and suffered a massive breach.
Scenario B: Ransomware attack rendered irrelevant
One morning, every on-site company computer goes dark. A skull and crossbones flash on the screen with a terrible message:
we have your data, pay 1000 Bitcoin to unlock. or data lost 4ever
1,000 Bitcoin … what’s that, $1.5 million? $2 million? Eh, who cares. It’s too much. It will cripple your business. You might not even survive the year.
Or so the bad actors think.
Luckily, your cloud provider automatically duplicates all your business data in real-time in two different locations. Sure, your systems are compromised in one locale. But your data is safe in another, and you have a business continuity plan. You’ll be back online by lunchtime.
How? Why?
Because you invested in cybersecurity, you still suffered a ransomware attack, but that was always possible. What saved you is that last year, you brought on a board member with cyber expertise. After they gave a presentation on the ROI of a few strategic cyber-first business investments (in this case, building a continuity plan to address a ransomware attack), you filled in the gaps in your approach.
Conclusion
A cyber expert on your board of directors is not a miracle worker. They can’t stop attacks alone. But they can ensure that the critical cyber dialogue with executive leaders actually happens productively.
With the C-suite bogged down in the noise of running an enterprise, the BoD needs to help senior leaders plan and prepare for the inevitability of a cyber attack. They can focus on strategic investments in critical areas, such as employee training and cyber insurance. They can encourage crucial tactical defenses to be put in place, like ongoing penetration testing, and they can support the value proposition of having business continuity systems in place. In summary, they can encourage the proven concept that investing in cybersecurity affords a business the needed protections to operate in today’s modern threat-laden landscape.
A modern board of directors needs a cybersecurity expert. Leaving one-off is all risk and no reward.
Want to know more about how to get a cyber expert on your BoD and start embedding cybersecurity in the fabric of your organization? Just email us and one of our cyber experts will get back to you shortly!
Hasta la vista, baby. Let us translate that for you, “Please share this epic article will all of your amazing friends; we appreciate it,” baby. LOL
Are you looking to go to a persona page?
Cyber 101 | The Solopreneur | SMB | BoD