Cybersecurity: Why boards need to step up

Part of the board’s role is to protect the company. Yet when it comes to cybersecurity, there’s a tendency for boards to leave it all to IT.

This is unfortunate–and dangerous–because while board members may not be particularly tech-savvy, they are experts at managing risk. Board governance strategies that worked when the risk was highwaymen holding up the mail coach will work just as well against hackers.

Shareholders and regulators are more and more likely to demand evidence that boards are attentive to cyber risk–and to demand the removal of directors or bring lawsuits after a cybersecurity breach.

Board duties generally fall into six categories:

•             Governance
•             Strategy
•             Risk
•             Talent
•             Compliance
•             Culture

Every one of these is important to the effective oversight of a cybersecurity programme. WIthout that effective oversight, the company’s cybersecurity efforts can become meaningless and leave the organisation vulnerable.

The first question boards need to ask is who is responsible (both at board and management levels) for managing cybersecurity risk? Usually, boards delegate this to the audit or risk committee, although some prefer to have the whole board overseeing it. The size and nature of the company will determine best practice.

At the management level, the cybersecurity buck usually stops with the CEO, who may delegate accountability to IT or a Data Protection Officer (DPO). However, cybersecurity governance requires not only tech skills but also management skills like communication, behavioural science, project management and command presence.

While every business unit needs to own and prioritise its own cybersecurity, central decision-making is vital. IT or the DPO should report to a senior executive the board can hold accountable.

Cybersecurity will continue to require considerable attention from the board and collaboration with management, enterprise risk management (ERM), internal audit and cybersecurity experts. Board members must have full oversight and ensure that processes and systems remain agile as cyber threats evolve.