5 Steps Boards Can Take for Better Cyber Risk Oversight

Nicholas J Price
The fourth industrial revolution is also called the Information Age. This is a time when numerous new technologies are making their mark on a daily basis. New markets are springing up, creating new trends as they go, and disrupting traditional business models and markets. As technology becomes more advanced and complex, it gives us the capability to have interconnectivity with multiple dimensions and multiple disciplines. Business as we've known it is becoming smaller and the cyber world is growing by leaps and bounds. This degree and pace of change doesn't come without major risks.

Modern board directors have the difficult task of identifying risks, assessing them, and figuring out how they affect their strategic planning and oversight responsibilities. The topics of cyber risk and cybersecurity fall under risk governance and should be major topics in every boardroom. Companies collect data, which is of great value to cybercriminals, who can use it to leverage personal gain. Boards have the responsibility to preserve and protect that data and ensure that it's being used only by the right people and only for the right purposes.

5 Cyber Risk Oversight Best Practices

Let's look at 5 steps that boards can take to fulfill their duties of cyber risk oversight.

1. Make Cybersecurity an Enterprise-Wide Initiative

To be effective, cybersecurity efforts must be applied across all departments, processes and operations. Boards need to have a cyber-focused mindset starting at the top and encourage the rest of the enterprise to build a cyber-conscious culture. Proper board oversight requires aligning the company's core values and ethical principles with the organization's cybersecurity strategy, risk appetite, risk tolerance and business approach.

Part of making cybersecurity an enterprise-wide initiative is defining terms related to cyber risk and using them often enough that executives, board directors and others are comfortable using them. Boards should ensure that management is encouraging cybersecurity awareness by offering company-wide education to employees, third parties, contractors and others. Managers should arrange for general information security training as well as training around security and awareness as it pertains to individual job descriptions.

2. Test Your Cyber Protections Often

While it's important to have various cyber protection plans in place, there's no way to know if they work unless you test them. Penetration testing offers companies a way to test their cybersecurity measures to ensure that they work before a hacker has an opportunity to break through and initiate a full-blown crisis.

Penetration testing can be done in-house or by professionals. Penetration testing simulates a real-world attack without actually infecting a system. The goal of penetration testing is to identify and expose gaps in security that could lead to theft of data, intellectual property, personally identifiable information or other information.

Penetration testing provides opportunities to learn where companies need to bolster their defenses. Another benefit of penetration testing is that it can help companies identify breaches earlier and improve their response times.

One of the easiest ways for hackers to get through is via employee error. A common tactic that they use is to send out phishing emails and try to get employees to click on an embedded link. For example, a common scam is to tell employees that they need to do a mandatory password reset. When the employee clicks on the link, it infects the system with malware or opens the door to confidential information.

3. Develop a Better Rapport with Your CISO

The CISO position is fairly new. Thus, boards and managers aren't always certain about how they're supposed to interact and share information with the CISO. The start of the relationship begins with boards and managers having an understanding of where the CISO is positioned on the organizational chart and who controls the budget for that department. Boards and managers should be having engaging conversations with the CISO about cyber risk on an ongoing basis.

It's also the board's responsibility to make sure that the CISO gets involved in every aspect of the organization, including the legal department, audit department, human resources, business development, supply chain and third-party vendors. The entire C-suite and the board should be in on a presentation by the CISO for an incident response plan. It's also helpful for the board to get to know the security team before an incident occurs.

4. Think Hard About the Skills You Need

It's no longer sufficient for boards to merely accept reports and presentations from IT specialists about cybersecurity. It's time for board directors to understand where cyber threats come from and how they work. Boards need to be briefed on exactly what the company's strategy is and be knowledgeable enough to monitor it. Additionally, boards need to know with certainty the details on how the company will respond in the event of a breach.

It's necessary for boards to team up with management on plans to integrate cybersecurity protection plans into their business strategies, generally. Board directors also need to educate themselves on cybersecurity issues well enough that they can ask challenging questions of the executives.

The icing on the cake for cybercriminals is to learn about a company's cybersecurity plans, which would make it even easier for them to penetrate a system. Cybersecurity protective measures start at the top with a secure board management system by Diligent Corporation. Board directors should only be communicating through secure channels. Diligent Messenger is a highly secure communication platform that fully integrates with Diligent Boards portal system so that hackers can't break through and steal confidential information about the company's cybersecurity plans.

Board directors should also be relying on Diligent's secure file-sharing program so that they can send whole files with high security. The entire program works together and includes a secure meeting workflow system where directors can secure and automate collating and managing board meeting materials.

5. Bring Outside Perspectives into the Boardroom

While board directors need to have a good working knowledge of cyber risks and cybersecurity, it's impractical to consider that board directors would have the same level of technical knowledge as experts. Boards have to know when it's the right time to call in specialists to help them.

Depending on the company, boards can take responsibility for cybersecurity or they can delegate it to a committee. Either way, they may need the help of third-party advisors such as law firms, audit firms, insurance experts or communications firms. It's also helpful for board directors to establish relationships with law enforcement and the FBI before a breach occurs.

The topic of cyber risk is still a somewhat foreign topic for many board directors. That's not a reason to turn a blind eye to their oversight responsibilities. Boards can get off to a good start by making cybersecurity an enterprise-wide initiative, testing their systems, developing a good relationship with the CISO, asking the right questions and bringing in outside expertise as needed. While these five steps constitute a good move in the right direction, boards need to keep building on their efforts toward cybersecurity oversight.
Related Insights
Nicholas J. Price
Nicholas J. Price is a former Manager at Diligent. He has worked extensively in the governance space, particularly on the key governance technologies that can support leadership with the visibility, data and operating capabilities for more effective decision-making.