Five Steps to Bridge the Cybersecurity Gap Between IT and the Board

Imagine if a band of marauders stood outside your corporate headquarters 24 hours a day, throwing rocks, firing projectiles and pretty much trying to cause as much mayhem as possible to your business. Would a board ignore the consequences with inaction? It turns out that marauders most likely are taking aim at your business around the clock—you just don’t see them. And if they haven’t already done so, someday they will break inside the wall. These are hackers. And many of today’s boards seem to show a shocking indifference to their presence.

Surveys show that only about half of US companies have comprehensive policies and procedures in place to address cybersecurity. Outside the US, the percentages are even lower. These companies leave it to the CIO to keep the castle protected, and that’s a mistake.

Cybersecurity is not just a technical problem to be solved. Too much is at stake. Your website conveys critical branding and advertising messages to consumers, and probably gives them an opportunity to buy your product. Internally, technology is what keeps your company operating and communicating efficiently. Transaction systems keep cash flows flowing on the customer-facing side of your enterprise while the financials are reconciled on the back end. If an attacker damages any of those functions or absconds with IP or, worse, customer data or actual cash, you’ll understand quickly the non-technological consequences of poor computer security.

Board members don’t have to become technical experts—that can be left to IT. But they do have to manage risk and allocate resources. Cybersecurity policies, processes and protocols need to be set into motion at the board level and driven down as an organisational priority.

Here are five ways board members can start the ball rolling:

1. Elevate IT security to the board level. Start internally with an IT or CIO presentation that outlines what safeguards are in place, associated policies and procedures, and examples of actual attacks that have taken place on your systems. (The major assaults shouldn’t be news, but you might be surprised at the constant barrage and growing sophistication.) Also, bring in third-party board advisers, who can guide you through a cybersecurity policy review.

2. Change the security mindset. The thing is, it’s not if an attack will be successful, but when. Response is every bit as important as prevention. The metaphor of cybersecurity as a moat around the castle is often used—if the barbarians breach the moat, story over. But that’s not really the case anymore. A digital intruder is not the end of the world if controls are in place that identify a breach is occurring and contain the fallout. If you can report that no customer data was affected and the damage was limited by careful preparation, then your company will look great, because they were honest about what was happening and well prepared to minimise the damage.

3. Get the after-attack protocols right. Part of that preparation we just talked about is planning ahead of time what such a response will look like. Who will speak to the media? To stakeholders? To shareholders? What will they say? These are board-level decisions that need to be made, communicated and rehearsed so everyone knows their part when disaster strikes.

4. Security starts at home. Most successful attacks are caused by being internally compromised. The EVP who leaves her smartphone back at the restaurant. The administrator who drops a memory stick jammed with credit card numbers or identifiable customer account info. The shop floor manager who opens an unbidden e-mail. The board needs to drive a culture change in this regard and to develop processes and procedures that back up the message that cybersecurity is a top priority. Have you considered starting with yourself? What example are the board and leadership team setting for the rest of the organisation?

5. Set the resource allocation appropriately. The IT budget as funded today won’t cover improvements that are needed in terms of personnel, strategy and tactics planning, and equipment deployment. The board must not only make security an organisational priority, but resource it appropriately.

In the end, cybersecurity is a risk issue, a business issue and, most importantly, a leadership issue. The good news is that more and more companies see the growing threat. The bad news: far too many of them are not taking the necessary actions to protect their businesses, especially in the boardroom.