Growing cyber threats and new rules on cyber disclosures put pressure on board members, Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) alike to keep an eye on the landscape and stay ahead of change.
What trends and risks are top-of-mind? What can organizations do to keep themselves cyber-ready?
How board members can stay ahead of emerging risks and regulations
1. Elevate cyber focus within committees
In the current landscape, cybersecurity demands dedicated attention beyond sporadic full board meetings. It merits consistent committee engagement throughout the year, similar to how finance, compensation, and audit are handled.
Designating a dedicated space with an unwavering focus on cybersecurity is paramount. As evidenced by Fortune 500 companies, a substantial 12% have established reliable technology committees, underscoring the gravity of this measure.
Solutions can be integrated within the existing framework for boards that may need more time to create a new committee. The governance committee, for instance, holds potential. Given its manageable workload and scope, there’s room for accommodating cybersecurity responsibilities without overwhelming existing functions.
2. Enhance cyber expertise within your board
Assess your board’s grasp of critical cybersecurity standards, such as the NIST framework and the underlying policies and procedures. Are they prepared for the demands of cybersecurity disclosures? In anticipation of heightened scrutiny, conducting regular cyber briefings for the board becomes imperative, fostering engagement and awareness. An essential step involves ensuring the presence of at least two board members certified in cybersecurity.
Augmenting the board’s proficiency can be achieved by integrating IT and InfoSec leadership into the board itself. The strategic inclusion of roles like Chief Information Officer (CIO) or Chief Information Security Officer (CISO) warrants consideration. As a result, a nucleus of individuals well-versed in cybersecurity is formed, enabling them to exercise more effective oversight and grasp risks at a deeper level.
Leaders must embrace these opportunities with certainty regarding the intricacies of technology. Cybersecurity should be treated as a prominent business risk, analogous to other multifaceted challenges. The board is poised to bolster their capacity for robust cyber governance by approaching this domain with a business-oriented perspective.
3. Forge proactive collaboration with the in-house security team
With this technological acumen, boards are poised to foster meaningful collaboration with the Chief Information Security Officer (CISO) and the IT team. This synergy ensures the precise level of oversight required to uphold organizational security. A pivotal step involves having the internal security team present before the board, offering insights into the current landscape and a succinct overview of both risks and security measures. This engagement establishes a robust foundation for board members to delve into pertinent inquiries that empower them to comprehend the subject matter better.
As the board’s involvement intensifies, the resultant engagement becomes a cornerstone, comparable to the approach taken for other critical risks. The degree of interaction and partnership between the board and the internal security team proves indispensable. This collective effort serves as a linchpin in safeguarding the organization and navigating the evolving cybersecurity landscape.
4. Elevate risk and preparedness in cyber conversations
Evaluating security prowess, gauging resilience, and understanding risk exposure are paramount considerations for boards across every industry in the context of cyber risk.
Implementing red team and purple team exercises is a valuable approach to address these crucial queries. By simulating actual threats and testing the waters within a controlled environment, organizations gain insights into their vulnerabilities without disrupting normal operations.
Additionally, the concept of resilience deserves close attention. The ability to sustain business operations without relying solely on the Internet becomes pivotal. Many businesses have faced varying setbacks during cyber breaches due to an inability to function manually.
Conducting tabletop exercises, which involve immersive simulations of potential scenarios, is essential. These exercises should be executed at least annually to fine-tune response strategies. When presenting to the board, InfoSec leaders should adopt a risk-centered framework that encompasses the following:
Identification of concerning threats:
- Articulation of the strategies employed to mitigate these threats
- Explanation of the testing methodologies employed to validate the feasibility of potential threats
- By making risk evaluation and preparedness integral to cyber discussions, organizations proactively fortify their defenses and enhance their overall cybersecurity stance.
5. Enhance risk oversight
In the modern business landscape, robust risk management must be extended to critical areas, including mergers, acquisitions, and the intricate web of supply chains. Every organization’s increasing reliance on physical and digital supply chains is undeniable. However, it’s concerning to observe that many boards must establish crucial links between risk evaluations involving third, fourth, or even fifth parties and their procurement, risk management, and security teams.
The vulnerability of the supply chain is a standout concern. While it’s a prominent risk area, it’s not the sole one. Statistics reveal that nearly 40% of breaches originate from supply chain weaknesses. Another pivotal aspect prone to vulnerabilities is mergers and acquisitions. For instance, when an organization acquires a smaller entity lacking sufficient cyber protection, the risk profile escalates significantly.
In the pursuit of comprehensive risk mitigation, a proactive stance is imperative. Experts emphasize the value of curiosity and diligence. Board members can uncover invaluable insights by delving deep, probing, and posing pertinent questions. This practice strengthens the organization’s resilience against risks and ensures a robust security posture across all dimensions.
6. Prioritise fundamental cyber vigilance
Maintaining a vigilant approach to cyber oversight involves delving into your organization’s practices and procedures comprehensively:
Are all employees equipped with pertinent and current cyber training?
Is the administration and tracking of this training consistently prompt?
To what extent are cyber teams and the board embracing and incorporating state-of-the-art tools for safeguarding against cyber threats?
Proactively staying ahead of the cybersecurity curve hinges on your role as a board member and your ability to pose the correct inquiries. By addressing these critical aspects, you can reinforce the foundation of cyber resilience within your organization.
7. Make third-party support business as usual
Incorporating third-party cyber assistance, such as leveraging a managed services provider, holds substantial potential to bolster your internal CISO team’s capabilities. Enlisting a partner who informs you about emerging threats and reinforces your in-house CISO efforts can undoubtedly contribute positively. Although familiarity with your support system has merits, the value lies in diversifying your approach through exercises like tabletop scenarios, where you simulate encounters with various adversaries.
Once these external resources are engaged, regular evaluations become imperative. It is prudent for board members to contemplate specific crucial questions: “Are the chosen external cyber penetration vendors truly aligned with our needs?” Furthermore, ensuring that adept professionals are involved in assessing and thoroughly scrutinizing your cybersecurity posture is equally essential. However, it’s crucial to only cede your decision-making authority partially to external experts. As a director, you are responsible for exercising your business acumen.