As MIT Sloan’s Keri Pearlson and Nelson Novaes Neto contend in Harvard Business Review, engaging BODs around cyberthreats is vital to organizational security. A recent survey they conducted of directors affirms that there is ample room for improvement:
- Weak communication: Only 68% of respondents said they regularly discussed cybersecurity with their BODs—and 9% said it wasn’t something their board discussed at all.
- Uncertainty around roles and responsibilities: Although 50% of respondents reported discussing the board’s role in cybersecurity, what they believed that role should entail was distributed between guiding leadership (41%), participating in a tabletop exercise (14%), and standing by to respond (23%).
- Insufficient preparedness: Some 23% of respondents said they had no board plan or strategy in place.
BODs are vital because of their fiduciary responsibility to shareholders and their responsibility to oversee and mitigate business risk (including cybersecurity and data privacy risks which can have significant and lasting impacts). Luckily, board members don’t have to be cybersecurity experts to engage and add value on the issue—they simply need guidance relevant on concepts, risks, frameworks, and approaches. BODs should also be ready to assess management’s preparation and to help with cyber strategy and strategy measurement.
Based on their research, Pearlson and Novaes set forth five key concepts they recommend directors understand and prioritize:
1. Modern day cybersecurity goes well beyond data breaches, encompassing protection against a host of cyber-physical and cyber-digital threats that will continue to gain sophistication. An awareness regarding the scope of risks is essential to fighting back.
2. BOD’s need to make sure the organization is prepared and has a solid plan—the U.S. National Institute of Standards and Technology (NIST) offers a useful framework centered around five areas: identify, protect, detect, respond, and recover.
3. BOD’s should focus on risk, reputation, and business continuity, not the technical details of cybersecurity. Bridging the gap requires clear, data-driven communication, research on best practices, and a willingness to ask cybersecurity executives the right questions.
4. Effective cybersecurity incorporates the “castle approach,” named for medieval castles with multi-layered defenses against threats. For organizations, a layered approach includes systems and people—levels of defense can include technology, controls, policy, and organization mechanisms.
5. Creating a “cybersecurity culture” can vastly reduce risk since a vast number of cybersecurity problems result from human error. This culture relies on shared values and mutual accountability to encourage cybersecurity behaviors, throughout all levels of an organization.
Pearlson and Novaes also share seven targeted questions they suggest organizations ask their board to ensure shared understanding and commitment. These questions span cybersecurity strategy, systems and detection, protocol, and investment, as well as the action plan for a cyber incident and how the board will be involved.
New course!
Keri Pearlson is leading the new Executive Education course, Cybersecurity Governance for the Board of Directors. Tailored specifically for board members and senior leaders, this course offers essential language, knowledge, and perspectives for cybersecurity strategy, leadership, and management. Gain understanding about the board’s role in cybersecurity, as well as breach planning, response, and mitigation. You’ll also learn about cybersecurity regulations, current and potential cyber risks, and cybersecurity's role in data and privacy protection.
Join us live online for the inaugural session November 30 - December 2, 2022.