Cybersecurity on Board
A playbook for boards to elevate their knowledge of cybersecurity issues
“There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again. Maintaining a code of silence will not serve us in the long run”
—former FBI director Robert Mueller, 2012
A decade later, this statement couldn’t be more accurate. Cybersecurity is a “forever” problem for companies and their boards that are now awakening to the severity of the issue and starting to consider CISOs and professionals with a cybersecurity expertise for seats. While hiring a director with this competency to the board won’t magically make problems fade, it can be a smart step toward building a higher level of cybersecurity awareness and solutions.
It starts with the chair to commit the entire board to a critical mission. But one director alone is not enough to ensure company resilience. It’s every director’s job to develop some cybersecurity literacy: risk factors, regulatory environment, legal implications—just like every director is expected to read P&Ls, balance sheets, cash statements, etc. The good news is board members are increasingly embracing the issue as part of their regular meetings and their own development. This playbook offers practical insights to boards and chairs looking to get smarter about cybersecurity.
PLAYBOOK 2
Cybersecurity for Boards
1
Invite the CISO in
The easiest way to educate a board of directors on cybersecurity is to invite the CISO into the room to present to the full board at least once a year—beyond the risk, audit, and the nominating committees. Think of your CISO as a resource to help as the board builds a resilient organization that has fiduciary strength. Don’t be afraid to ask the CISO or cybersecurity executive to explain the issue in a non-technical way. The chair will be instrumental in tapping into the collective curiosity of the entire board, encouraging everyone to ask what they need to ask without the fear of being perceived as unknowledgeable.
It’s time to think about cybersecurity as an existential threat to your business. Have your CISO host tabletop exercises every quarter, invite executives (CEO, Chief Legal Officer, Head of IT, PR, Comms), and keep the lines of communication open. Beyond that, encourage the CISO to have a broader outlook on the business because they can provide insights that are well-informed and tailored to the business strategy. Take advantage of your team. People who are running security for your own company should be on the agenda. They should be in the room.
2
Ask the right questions
Cybersecurity can become even scarier when complex terms are thrown into the conversation. Fortunately, to effectively govern on the issue, members don’t need to learn technical terms or the basics of coding—they are fiduciaries and need to ensure the company is anticipating risk and ready to act upon ransomware attacks. Some questions board members should be asking, including the Chair, include:
- How can cybersecurity be the foundation to build a resilient organization?
- If attacked, how can we minimize damage and ensure business continuity?
- Can customers trust my company with their data?
- Can regulators trust we are complying with regulation?
3
Normalize cybersecurity
Think about high-profile cyberattacks—Target, Sony, Equifax, JBS—that were massively disruptive and harmful. Instead of shutting their doors, they emerged stronger from the crisis. Suffering a ransomware attack is a reality that no company wants to undergo, but there should be no shame around it. After all, no matter how sophisticated a company’s safety mechanisms are, hackers can likely find a way around them. Cyber risk is looming over every company and institution. The best course of action for boards is to take it out of the shadow and enhance their knowledge, commitment, and preparedness.
4
Hire Experts of Diverse Backgrounds
It’s not enough to know how to spell cybersecurity. Boards need to bring someone with substantial, meaningful first-hand experience. A CISO would be ideal, but boards have latitude to go outside the “obvious” candidate. While boards don’t want to be seen as reacting to the “fashion” of the moment by hiring a cyber expert, adding a member who also have a strong commercial or strategy spike, perhaps with a military or XXX background, could be highly beneficial.
While the first instinct would be to recruit a sitting CISO, boards should broaden their lens for a larger pool of candidates who are highly qualified to serve not only on the issue, but on their broader set of skills and knowledge. Look at retired professionals, military, and other candidates with not so obvious backgrounds. Remember that it is critical that this candidate brings an ability to anticipate issues, inspire others, and be highly determined to infuse resilience into the company. Understanding that it’s not a board’s job to know the “ins and outs” of a ransomware attack, but to ensure the company is equipped to handle it from a fiduciary’s perspective, is key.
5
Accept You Don’t Have All the Answers
Cybersecurity issues are ever-changing. No board can possibly anticipate when new breaches and attacks will occur. But they can enhance their preparedness level by following the steps above. Taking the steps to build a powerful board of directors, in which cybersecurity is an ongoing issue, with constant exposure to the CISO and cybersecurity experts in your company will be part of building a strong “human firewall” and resilience level while acknowledging no strategy is perfect. Directors are the guardrails of any company, but they don’t have all the answers. It’s important to shed light on the questions unanswered too.