The Importance of Boards Ramping Up Cyber Risk Oversight

Nicholas J Price
The topic of cyber risk has been in the media for years now. Enough companies have been negatively impacted by it that the topic is finding a well-deserved place on board agendas. Without question, cyber risk must be part of every risk management discussion.

The issues of cyber risk and cybersecurity aren't as foreign to board directors as they used to be. At the same time, most board directors are still struggling to understand where their most pressing vulnerabilities lie. To complicate things even more, board directors are still struggling with asking the right types of questions to get the answers they need to provide property oversight over cyber risk.

Narrowing Down the Discussion on Cyber Risk

Today's companies are finally seeing the value that CISOs provide in protecting the company from cybercrime. Many CISOs carry the misperception that board directors know very little about cybercrime and the technical jargon that's associated with it. As a result, they dumb down the technical language when making presentations to boards. From their perspective, they want boards to understand the magnitude of the problem and the degree that their team is able to contain the issue.

The reality is that with every presentation by the CISO on cybersecurity, board directors are getting more and more familiar with the technical terms and are better able to comprehend what they're supposed to be overseeing. It's true that discussions about cybersecurity are still overwhelming for some board directors. While they're catching on to things to look out for, many of them are still struggling to know the right questions to ask the CISO. What they really want is information about the action steps that the CISO is actually taking.

The Questions CISOs Expect to Hear

When giving presentations on cybersecurity, CISOs are prepared to answer general questions about whether the company is secure and how they would know if a breach occurred. Board directors may have questions about how their cybersecurity measures compare with peers in the industry or whether the board needs to allocate additional financial resources to bolster the cybersecurity efforts. The answers to these questions will give board directors a general sense of their cyber protection. Unfortunately, these questions aren't designed to produce the kinds of answers that board directors need to assess alternative solutions to reduce cybercrime.

An easy and pertinent question that boards should be asking their CISO is, 'What are the pros and cons of various potential remedies?' In evaluating the answers to that questions, board directors need to apply the answers to various business operations, such as employee productivity, data governance, document retention and governance.

The Questions Board Directors Should Be Asking

Many of the questions that board directors should be asking pertain directly to themselves and the security of the work they do in the boardroom. Can hackers get into their servers? What are their standards for communications software programs? Are they using an app- and cloud-based solution and are they spending too much of the budget on hardware? How secure is the system across all mobile devices? Are documents secure in storage and while in transit? How secure is the document retention process for high-risk internal documents and data?

For boards that use Diligent Boards, Diligent Messenger and the suite of tools that comprise Governance Cloud, the answer to every question is that the cyber protection is highly secure. Diligent has been an industry leader from the start of board management software implementation. Diligent Corporation is a modern governance company that places its entire focus on keeping boardroom information at the highest level of confidentiality possible.

As a word of caution, in the coming years, boards will be inviting more millennials into their boardrooms. Millennials have grown up with technology in their hands and many of them may not have a full appreciation for the necessity of keeping their board communications within a secure platform. They might be tempted to use a non-board-sanctioned app if it were more convenient. Boards will need to continually stress the possibility of cyber risks by using outside apps or tools.

Maintaining Confidentiality Inside the Boardroom

If a cybercriminal had a choice about the most valuable place to make their mark, without a doubt, they'd love to be a fly on the wall in the confines of a boardroom. That's where all the magic happens between the board directors and the members of the C-suite. The boardroom is where the most sensitive conversations and important exchanges of ideas take place. For cybercriminals, getting information directly from a boardroom gives them the highest payoff.

Board directors may be discussing the negotiations over the share value of a bid they made to acquire a company. In their duties to evaluate their CEO, perhaps they learned about some unsavory behavior that had been going on. Board directors may be talking about a defect on a product, the launch of a new product offering, or a new marketing or pricing strategy. The icing on the cake would be if cybercriminals were able to listen in on board discussions with their CISO about the exact methods they're utilizing to fix hardware or software problems. Things couldn't be worse for a company than spilling their most critical planning and then crippling themselves further by shutting down their communications channels.

Modern Board Management Software Systems Secure the Boardroom

Diligent's board management software system is exactly the modern type of system that cybercriminals hope that companies don't have. Boards that use Diligent Boards and the fully integrated software solutions that comprise Governance Cloud can rest assured that their board agendas, board minutes and email communications are fully protected, as they are stored in the system and while being transmitted from one point to another.

With a Diligent board management system in place, cybercriminals are likely to abandon any plans for attacking a company that uses it. The amount of time and effort that they'd need to break through the system would not be worth their while to get nothing in the end. In answering the tough questions about cybersecurity, a CISO's job is far easier for boards that use Diligent.
Related Insights
Nicholas J. Price
Nicholas J. Price is a former Manager at Diligent. He has worked extensively in the governance space, particularly on the key governance technologies that can support leadership with the visibility, data and operating capabilities for more effective decision-making.