The world has changed a lot since the first case of COVID was found in Wuhan. The virus did not just affect our day-to-day lives, but also our work. As a Board member of an organization, how much do you understand about Cybersecurity or the changing world’s impact on your security posture? Do you have the right advisors who can help your Board be cyber-aware and empower the right person to help the organization stay secure?
If you answered yes to any of these questions, then you are reading the right blog post. This blog post is about how Boards of any size company can ensure their CISO /CIO or IT teams are doing the right thing to protect their business.
We all know that there are two types of organizations:
1. The ones that know they are hacked
2. The ones that don’t know!
Any company regardless of its size should assume there’s been a cybersecurity breach and take the right actions to minimize malicious effects and repercussions.
While there are two types of organizations, of course, there are also two types of Boards:
1. Those that approve their teams to take a defensive posture related to security
2. Those that empower their teams to take an offensive approach
It’s a famous saying by entrepreneurs that they hire people smarter than themselves. I disagree. I’ve seen many hiring managers do just the opposite, but also at the Board level! Someone with many good connections can be easily hired in C-Level technical positions, and in my career, I’ve helped many of them restore their business with highly skilled Incident Response teams.
A good example of this is the famous SolarWinds attack, where the ex-CEO and current top executives blamed an intern for using the password “SolarWinds123”! Don’t you think it was a lame excuse? So what can you do to not be included in the same category as this type of executive?
By now, any Board member should know that cybersecurity is not just a cost center and a technical endeavor. IT is a “key” component that transforms business. If the technology is used correctly, IT is actually a profit center. Look at companies that invested in the cloud way before COVID, and how easily they transitioned from working in the office to working remotely when prompted by world events!
Boards should support innovation, and innovation is mostly achieved via technology. While technology is very important, securing it is of course just as important, and this is why Boards should task their executive management to have Incident Response plans in place to proactively manage a cyber attack, and in the event an attack does happen, know how they plan to get back online as soon as possible. And while tech teams are busy doing that, the Board should know how to communicate the strategy with their customers/partners /media, and of course the regulators and government overseers. Boards need to be mindful, innovative, and resilient.
So, what are the 4 key questions Boards need to address?
1. How can IT help generate revenue?
A digital transformation program is not just about technology. It is also about risks. Wherever technology is implemented and used, risk management should be employed as well to identify any possible security gaps, and any gaps that cannot be mitigated should be reported to the Board.
2. What is your Cybersecurity Strategy?
In other words, what does cybersecurity mean to your organization?
As the Board, you need to know all the consequences and repercussions associated with a breach of your business, and how to respond to not just the attack but also to your customers, shareholders, partners, employees, vendors, and more! The Board needs to approve the “Cyber Risk Framework.” All possible exposures need to be assessed for impacts based on metrics such as response time, cost, and legal or compliance implications, with plans in place to attract investment commensurate with a risk-based assessment.
Any Board should know what information in the organization is business-critical, and be able to answer the questions below without any hesitation:
- What your crown jewels are and how do you currently protect them?
- As the Board, do you conduct a periodic review of your cyber resilience posture?
- Is your Cyber strategy aligned with your business risks?
- Are all risks identified? Do you monitor your risks, and if yes, how?
- What are the escalation metrics?
- What is the people strategy for your business? And is this also aligned with your Cyber Strategy?
- Does your cyber strategy cover insider risks, and how you do monitor/mitigate these risks?
- What is your business’s relationship with your Partners/Third Parties, etc?
- Is the relationship with your supply chain part of your cyber strategy?
All the answers to the questions above should provide you “satisfaction” with how your critical information, assets, and data are secured. The Board should have confidence in what is done in the IT space, and how it affects the organization.
And the final question about security strategy is:
- How is the budget aligned, and how do the allocated company resources make your Cyber Strategy successful?
In other words, your ROI needs to be clear and explicit.
3. As a Board, what is the established plan for developing solutions to the areas in which the organization is lacking?
Appointing ownership for the cyber security project is important. It is also important to know and fully understand the legal implications of cyber risks and the ownership of the Cyber plan. For example, the Chief Information Security Officer – CISO, should be empowered to implement the cyber strategy with success and be encouraged to reach out to any member of the board as necessary, when needed.
4. Does the Board have the right committee to understand cyber matters?
Most Boards have external advisors. It is imperative that the Board select the right advisor, an expert that understands not just business but also Cybersecurity to its core.
I have seen too many “external board advisors” hired based on “recommendations,” which may not be wrong, but if the recommendations come from Board members who are not sure if they are “cyber ready,” then the recommendation is very likely not going to be right!
Again, throughout my career, I have met many advisors concerned about how they were advising others when they themselves were still learning the basics of Cybersecurity. For sure, they were excellent communicators, using the right buzzwords based on articles they were reading. But when it comes to cybersecurity, expertise is everything.
There will be more blog posts in the near future about this topic; please keep an eye out for my LinkedIn page or this blog site to read more.
If you think you need help understanding cybersecurity better, consider reading my new book; details are provided below.
Time to get CISO part of the board
4 Cybersecurity Questions
4 Cybersecurity Questions Boards Need to Address
How can IT help generate revenue?