In 2019, for many businesses, experiencing a security breach is not a matter of if, but of when.
And when it comes to creating security safeguards, achieving meaningful engagement and ultimately buy-in from the Board of Directors can be frustrating if business risk priorities end up misaligned, delayed, or at worse, ignored.
Creating confidence in cybersecurity initiatives seems to thrive in a climate of due diligence, open-mindedness, and sheer tenacity in order to break through the noise and hyperbole from the media and industry pundits.
The proverbial sky may seem like it’s falling, yet with a thoughtful and logical approach, and support from key stakeholders, it can certainly be propped up long enough to shore up defenses and prevent a catastrophic cyber event.
Current reports reveal the importance of having at least a cursory level of security literacy and understanding of cyber risk within the boardroom:
- Gartner estimates by 2020, 100% of large enterprises will be asked to report to their Board of Directors on cybersecurity and technology risk at least annually.*
- 87% of Board members and C-level executives have said they lack confidence in their organization’s level of cybersecurity.**
- Due to the low quality of reporting on information security, 52% of respondents think their Boards are not fully knowledgeable about the risks the organization is taking and the measures that are in place.**
Know Your Audience
Most Board members may be familiar with business risk in general yet may not be completely familiar or up-to-date with the myriad incarnations of what constitutes cyber risk. To say that threats are evolving daily is not so much of an understatement as it is a call to arms. With the increasing level of sophistication and financing to carry out attacks, malicious actors and rogue nation states pose a real and credible threat across the globe for businesses of all sizes.
Since a Board is typically business strategy and financial results oriented, be sure to gather valid and timely threat intelligence to better inform and make actionable recommendations. Whether the firm isa publicly-traded company or in a heavily regulated industry such as finance, healthcare, retail, or energy and utilities will make a difference in what key metrics a Board cares about.
Potential repercussions of a cyberbreach or compromise could include liabilities, impact to shareholders, reputational damage, and a loss of customer loyalty. As such, flesh out answers to these two basic questions to highlight security gaps in any overarching cyber defense strategy:
- What am I trying to protect, and prevent from happening?
- What is the worst possible potential outcome?
One key assertion to make is to differentiate between meeting regulatory compliance and bolstering security. While a company may be in compliance with certain geographical and empirical mandates and standards such as GDPR, PCI or HIPAA, it is by no means a surety that a company is impervious to an attack.
Other Tactics to Increase Positive Traction
Create a Task Force or find a Champion(s) for security. Accept the fact that you may not be able to educate and influence the entire Board. Not every Board member will have the enthusiasm and desire to know all the details. Collaborating with a stakeholder Task Force or Champion provides an opportunity to really roll up your sleeves and articulate risk thresholds and business impacts with folks who share an appetite for the minutia.
He or she could be the one person with whom to dive deep on current solutions, help accelerate a program, and/or remove bottlenecks. They could help outline the cybersecurity metrics and measurements that are most important for the Board, presented in terms that will resonate the strongest.
Present facts and simple stories. Help demystify technology-laden and complex language. Use business terms and outcomes if possible. When tasked with presenting data, or metrics that require an Engineering degree to decipher, choose to err on the side of over-simplification. Raw numbers may not make sense or convey critical conditions.
Many people cannot always conceptualize large volumes of data sets, so consider using simple visuals and concept diagrams if possible. Sharing easy-to-follow red, yellow, or green status milestones is often an effective option over complicated and mind-numbing data via charts and graphs.
If your Board is more literate and engaged, create a timeline that highlights current operational efficiencies and the areas that need improvement. Ask yourselves if you are keeping pace with current threats in a particular industry (e.g. ransomware hitting government municipalities and healthcare/hospitals.)
Don’t Make Your First Breach a Real One
Preparing for a security breach can involve a significant amount of resources and personnel. Be proactive and download our eBook “A Modern Application Security Program Playbook:
8 Essential Steps for Creating a Security Strategy Across Development and Operations” today.
** Ernst and Young’s 19th Global Information Security Survey, 2018