As new headlines of incidences of cyber breaches emerge, board directors of every size corporation start mentally processing whether they know enough about cybersecurity, and whether they’ve done enough to truly protect the company. If board directors are being honest with themselves, most of them don’t understand enough about technology to make an accurate assessment of the company’s level of protection. The General Data Protection Regulation law (GDPR) is placing even more pressure on board directors to understand and respond to cybersecurity issues.
Perhaps what is even more unsettling is that while many board directors acknowledge the existence of a cybersecurity knowledge gap, they don’t know how to resolve it effectively. With litigiousness continually on the horizon, the future of board activity means that board directors will need to delve into deeper conversations about cybersecurity. Clear communication makes all the difference.
Shareholders and Regulatory Bodies Hold Companies Accountable for Cyber Breaches
Past lawsuits over cybersecurity breaches at Target, Home Depot, Wyndham Hotels and other large corporations have not been largely successful, but the fact that they’ve been brought to the courts means that there’s the potential for future lawsuits. These lawsuits send a clear message from shareholders that they want more protection against cyber risks, and that they’re willing to hold board members accountable for their fiduciary duties.
Shareholders get a little assurance from regulatory bodies that take a reactionary stance on cybersecurity by enforcing rules around good corporate governance. Due diligence toward fiduciary duties requires board directors to stay fully informed about the protections and shortcomings of the company’s cybersecurity system. Shareholders expect board directors to weigh the pros and cons of all available cybersecurity measures in order to make sure that the board protects their financial interests.
The SEC also imposes obligations on publicly listed companies to protect the interests of shareholders. The SEC requires companies to adequately disclose contingent liabilities. Certain situations call for setting up accounting reserves as a type of insurance over liabilities. In addition, another SEC rule states that companies must disclose risks that may have a reasonable and material adverse effect on them.
Board members, especially members of the audit committee, may be liable under securities laws if they are lax on attaining the proper knowledge about cyber risks or fail to make reasonable and prudent decisions about disclosing risk information. Still another SEC rule speaks to the requirement of boards to form an adequate system of internal controls in order to ensure that financial accounting is accurate.
Board directors who fail to address cybersecurity risks adequately may face shareholder lawsuits, SEC enforcement actions, or both.
Finding the Missing Link Between Board Directors and Cybersecurity Experts
Understanding more about cyber risks and how to protect against them is a bit like learning a foreign language. If you’ve ever started to learn a foreign language, you know it’s somewhat fun in the beginning. You learn a few new words and what they mean. Then, as you begin to learn and understand more, things become more challenging. There are different contexts and applications of the words, which can create confusion and frustration. That’s much like what goes on when board directors learn just a little bit about cybersecurity, but don’t take it to the next level where they can apply that knowledge to their duties as board directors.
When all of the tech talk gets too complicated, some board members stop asking questions and just blindly rely on the CISO to cover that base.
The disconnect between board directors and CISOs as it relates to cyber risk is that each of them takes a myopic perspective of cybersecurity. The fix for this problem is for each party to understand the other’s motives and thought processes, and to keep them in mind when communicating with each other.
Technological experts are wired to think with accuracy, precision and fine details. Their occupations demand it. CISOs apply specific terms like threats, vulnerability, privilege escalation, compromise and exfiltration in their highly detailed reports and explanations to the board.
On the flip side, the duties of board directors require them to think within a broad scope. They do their best to relate technological terms to the language that they know and use, which includes terms like risk appetite, valuation, strategic planning and profit margins.
Essentially, board directors and cyber experts view their roles through different languages and lenses, which causes a distinct divide between them. Despite any inherent differences in perspective, there’s an easy solution for greater understanding — clear communication.
Using Communication Strategies to Link Board Directors and CISOs
The sender, the receiver and the message are the basic components of communication. In this case, the sender is the CISO, who needs to have a good understanding of what the receiver, which is the board, needs to know. A fourth component of communication is noise, which garbles and confuses the intended message. In this case, the noise equates to the sender using too many technical terms that the receiver can’t understand in the context of the greater message. The message is coming at a speed that makes it even more difficult for the receiver to comprehend.
The result is that the receivers are clueless and confused and the senders receive their feedback as indifference.
Successfully reconnecting the links between CISOs and board directors means that CISOs need to slow the pace and gradually educate the board about the terms and definitions they use, and the context in which they use them. Adjusting the message also means connecting the information to the context that board directors view it in, such as negative headlines around cyber breaches involving other major corporations.
CISOs who can create a context within which board directors can apply their knowledge about cyber risk will be able to help them connect the dots between the value of cybersecurity and the positive impact that it can create for the business.
Fortunately for board directors, technology is becoming more the norm, which means we’ll all be forced to learn more about it as time goes on. Board directors and CISOs need to acknowledge the disconnect in communication and recognize that they need to communicate through both of their lenses when participating in discussions about cybersecurity. As part of a corporation’s enterprise risk management plan, boards need to work with the general counsel and the CISO or other IT professionals on a well-constructed cyber risk plan. A well-constructed cybersecurity program protects customers and shareholders and safeguards against financial loss and reputational damage. Board directors need to work diligently toward better communication with CISOs in order to understand exactly how it all works together.