Sharon Wagner, CEO for Cybersixgill, recently discussed in his Forbes article
Board Members Need to Look At Cybersecurity As More Than Just Protection how and why board members need to be as informed about a company’s cybersecurity efforts as they are about its finances.
To be a well-informed and effective fiduciary, board members must now focus on issues outside the comfort zone of their established expertise areas. Given the actions of embolden threat actors who have access to seemingly endless compute power, tools, and intelligence – cybersecurity is one of those increasingly important areas. This means that board members need to commit to increasing their cybersecurity knowledge. There are four useful places to start – addressing the relationship of cybersecurity to business growth, brand protection, regulation, and a reframed CISO-board relationship.
1. View cybersecurity through the lenses most appropriate to business growth, not just data protection.
In an environment of rapid digitization with increased expectations placed on business performance and scalability – boards need to view a company’s ‘security agility’ through the dual lenses of protection and growth. Technology and processes must protect data, but they cannot restrain the company from growing in the most agile manner possible. Companies must operate in increasingly ‘elastic’ ways to scale in boom times and contract in recessions, and that requires security reconsiderations around the workforce and technology infrastructure.
2. Know when to prioritize brand protection over data protection.
If the more significant business value is in a company’s brand as opposed to its data, then the question looms for Board members about whether the company’s security technology stack and practices are optimized for this. That means demanding the addition of IT practices to monitor for, and act on, negative brand exposure – at least at the same level of robustness that is currently provided for data theft.
3. View regulation as a friend and not a foe.
There’s real value to be found in having a better perspective around existing and future regulation and compliance requirements. Industry standards and tools (such as PCI DSS in retail and FFIEC CAT in finance) can provide the basis for the creation of a new ‘prescriptive framework’ that can help a company more clearly understand its current risk profile.
4. Promote a more collaborative and elevated relationship with the CISO at the board level.
The CISO should be the board’s partner in defining and addressing cybersecurity from the broader perspectives of business growth, brand protection, and regulation. Board members can be helpful in enabling the CISO to succeed in this new relationship if they proactively elevate the CISO’s voice, provide resources to at least match those of threat actors, and support the CISO in the development and monitoring of frameworks and KPIs that reflect a perspective on security that protects data without stifling business growth.
For more on this subject – read Sharon’s full Forbes article here.