Cybersecurity as a ‘board issue’ has recently emerged as one of those topics that seems noticeably commonplace in a lot of conversations in and around our industry. This is fair enough because protecting people’s data should now be just as important for a business as anything else and boards are undoubtedly more aware and mindful of cyber-risk than they ever have been.
That is certainly a good thing, and it’s indicative of just how much businesses rely on IT and the security of information to operate. However, the question of whether cybersecurity is enough of a board issue is still very much up for debate.
The reason I say that is because awareness is one thing and understanding is quite another. I believe a lot of corporate boards aren’t much better at understanding security nuances and their full impact on a business, they’re just more aware that cyber-threats pose a huge risk – there is still quite some way to go until that balance reaches the parity it needs.
Boards are in place to navigate businesses through risk, and there really aren’t many more critical risks than that of cybersecurity in today’s world. However, simply saying you are on top of information risk management because it’s in your operations risk register doesn’t really cut it, and a lot of boards are still failing to really get involved in cybersecurity strategies. This is something that was highlighted in PwC’s latest The Global State of Information Security Survey 2018 which found that just 31% of corporate boards directly participate in a review of current security and privacy risks.
“Corporate boards aren’t much better at understanding security nuances and their full impact on a business”
So how do you remedy this? Well, one argument that many in the industry make is that boards need to be more open to regularly inviting security professionals into the boardroom, be that external consulting services or, in some people’s ideal, the company CISO (any that currently do are very much in the minority). Boards are made up of business people that do not think like experienced security experts, so I think it makes absolute sense for boardroom discussions to include individuals who do.
The big problem is that boards have been – and by and large still are – very reluctant to invite cybersecurity experts into the boardroom. Everything from a lack in confidence in their ability to communicate technical jargon, concerns about their understanding of the company’s business objectives and ability to articulate how information security aligns, right through to fears that they will be sold something they don’t need or even anxiety that some horrific security issue will be brought to light, all play a part.
Therefore, it is certainly not a universally-held view that high-level security pros should have a seat or at least a voice on the board, with most instead preferring to keep them on the periphery of boardroom discussions much like heads of other key business areas like HR or health and safety. The difference is that those are traditional business areas that people understand better and have a longer history with. To the contrary, cyber-risk has emerged significantly in a far shorter time and is evolving at a much quicker rate.
Of course, any information security professional that steps through the boardroom doors needs to be able to quantify cyber-risk in a way that resonates with business leaders who don’t speak XSS or SQL, but will connect with ROI, customer retention and how security affects the bottom line. So as much as boards still have work to do to really involve themselves in the wider picture of cybersecurity within a business, there is a need for security experts to become more business-minded people who can effectively communicate with enterprise hierarchy.
Awareness is the first step in the right direction, but deeper understanding needs to follow, because without it, boards are not well-positioned to exercise their responsibilities for data protection and privacy matters. If corporate boards aren’t taking every step possible to fully educate themselves on the business ramifications of information security by engaging with the security professionals they have around them, they are setting themselves up for a monumental fall.