Five Questions For the Board: Cyber Security Is the Board's Business
By Kim DeCarlis, Chief Marketing Officer, Imperva
Board members have a fiduciary responsibility to establish and govern business policies and practices that drive a company’s financial performance and growth. But do they have a comprehensive view of your enterprise’s defense posture to assure they are a conscientious steward of the business?
Perhaps in the past they viewed cyber security primarily as an IT responsibility but now realize the challenge extends far beyond the bounds of technology. Corporate boards face elevating legal liability if they fail to adequately govern risk and protect their businesses from cyber attacks.
With so much at stake, are you giving the board members the information they need to support smart security strategies? Forty percent of board member respondents in the Wall Street Journal CIO Report are dissatisfied with the information they receive from their security teams.
"All Employees Need to Know Specifically What Falls within and Outside Acceptable Boundaries"
Now is the time to start a conversation. You will need to answer questions that will yield the vital insight the board needs to make informed, cyber-conscious risk management decisions. Rather than asking board members to reactively sign off on proposed cyber security strategies presented with limited evidence of business value, proactively dig deeper for them and invite them look under the hood.
Your board members should request additional information and challenge assumptions so that they are better prepared to successfully oversee the company’s cyber security posture, and ensure that the organization strikes the optimal balance between minimizing risk and propelling the innovation that fuels competitive advantage.
Consider answering the following questions to initiate an ongoing dialogue with board members.
- All companies are vulnerable to major data breaches; what are we doing to minimize potential damage, avoid disruption of business operations, and keep our name out of the headlines?
Given the absence of a common vocabulary or clear standards for cyber risk management and board oversight, this question can lead to best practices for information security management. What lessons can be learned from how peer companies and competitors are addressing the cyber security challenge?
2.How prepared are we for a cyber attack? What plans do we have in place for threat prevention and detection and incident response and containment?
The first order of business involves discovering your assets and risks so you can protect your most valuable business data and applications from cyber attacks. This remains a challenge for many organizations: Verizon’s annual Data Breach Investigations Report found that nearly 70 percent of companies discover data breaches via a third party, and they typically don’t learn of compromises until months after they occurred.
Is there a crisis communications plan that outlines the process for disclosing incidents and sharing information with peers, regulators, law enforcement, shareholders and media contacts? Is the legal team poised to advise and handle reporting requirements? It makes sense for the board ask for details, including if and how incident response plans have been rehearsed.
3.How do we effectively protect our “crown jewels”—the valuable digital data and applications that are most critical to our business and most vulnerable to attack?
Companies must rank cyber risks that jeopardize business-critical assets in the same way they prioritize other vulnerabilities. It’s a risk-reward balancing equation that involves implementing tiered security measures designed to focus on the highest-value targets that must be protected since any breach of these assets would significantly harm the organization.
4.Where on the cyber threat spectrum should our needle point? What is our risk appetite and our acceptable risk tolerance?
Corporate directors may rely too heavily on people, processes and technologies that do not deliver the concise information linked to key business objectives. Quantify the organization’s appetite and tolerance; ensure that the risk strategy is in alignment and sufficient resources have been allocated.Revisit the critical elements that are core to the company’s success and ensure they are rigorously protected.
5.We spend millions of dollars on cyber security every year;what are the highest-priority initiatives the board should support to stay ahead of adversaries?
The organization’s risk tolerance must be clearly communicated across the enterprise. All employees need to know specifically what falls within and outside acceptable boundaries. Embedding cyber security awareness across the organization encompasses training employees and ensuring they are familiar with security policies and demonstrate secure behaviors regarding system and data access.
If you continuously answer these questions, not only will your board's cyber security literacy dramatically improve, so too will the partner ship between IT and the board.When corporate directors and information security leaders understand each other’s language and engage in a business-focused dialogue, they dramatically improve their ability to collaboratively develop and implement risk management strategies and technologies that will protect the enterprise and sustain market place success.