C-suite and Board members are certainly aware of, and in fact should be frightened by, the accelerating rate of U.S. companies and government agencies that have suffered a record number of data breaches in the last few years alone.
U.S. companies and government agencies suffered a record 1,093 data breaches last year. Such serious security breaches expose a wide range of personal information, from Social Security numbers to account credentials. Monetary costs for breaches are very expensive. Beyond the harm to personal privacy, company reputation and loss of consumer trust, an IBM study estimated the total cost per data breach for a company this past year to be around $4 million.
The prior practice of hiring and even empowering a dedicated cybersecurity team has simply not been enough to stem the tide. It is now generally agreed that enterprise cyber risk must be elevated to CEOs and board members who need to take on the responsibility of initiating and championing organizational improvement to address cyber threats.
Yet, getting the attention of those at the top has been difficult. To convince board members and CEOs to act, they must first be convinced that severe consequences are certain to occur if proper cybersecurity measures are not implemented. Cyber threats target a variety of information across all sectors. In 2013, hackers stole the payment information of up to 40 million Target customers. In 2014, the Sony Pictures compromise exposed tens of thousands of embarrassing email exchanges between actors and executives, a data breach that ultimately cost the company approximately $100 million. Then, in 2016, Yahoo revealed that over 1 billion Yahoo user accounts had been compromised.
Why your organization is vulnerable
Despite the fact that human nature tends to lead us to the belief that “it will happen to the other guy” or to rely on the comforting belief that someone in the company is on top of the cyber risk problem, it is time to face the fact that cyberattacks occurring at an accelerating rate may in fact be the new normal.
CSO reports on moves to bring more cybersecurity expertise in-house: “Many companies are hiring a chief security officer (CSO) or chief information security officer (CISO) for the first time to support a deeper commitment to information security.” And yet this does not necessarily mean that CEOs and Boards are assuming the responsibility for addressing the threat. Often these hires can have the unintended consequence of creating a sense of complacency because there is now an expert in place piloting the cyber risk ship.
As Amy Aixi Zhang notes, “to convince board members and CEOs to act, they must first be convinced of the acute consequences of failing to implement proper cybersecurity measures.” Cyber threats are an equal opportunity phenomena and all sectors, large and small, have been impacted.
A recent Harvard Business Review study sought answers to the question “Why Boards aren’t dealing with Cyber threats.” The findings were revealing:
- Most Directors agree that cybersecurity is an urgent global issue, and with the rash of cyberattacks flooding the media, it’s obvious why; but these same Directors are often not making “the connection between the pervasiveness of cyber threats and their companies’ vulnerabilities.”
- Despite the known threat and the acknowledgment of its urgency, many CEOs and Directors remain focused on more traditional reputational and regulatory risks, retaining key talent and global competition. These risks and challenges have been present forever, and it is hard to break from old patterns.
- Most importantly, the study concludes that “directors simply aren’t internalizing the extensive, long-term damage an attack could inflict on their organizations.”
Why this disconnect in the face of such an obvious threat? The Harvard study employing an intensive survey “of more than 5,000 directors in over 60 countries” and conducted with the WomenCorporateDirectors Foundation, Spencer Stuart and others, found two main reasons for the apparent lack of urgency in the face of cyber risk: Boards lack both the processes and the level of expertise needed “to surface, evaluate, and address cyber threats.”
While most boards “have robust processes for addressing their most pressing responsibilities, such as financial planning and compliance,” processes related to cybersecurity issues “such as regular discussions about cyber risks (with or without cybersecurity specialists) and management reviews of contingency plans for a data breach” are lacking. This blind spot is an area where the Diligent Corporation focuses its attention. Diligent’s secure board portal provides a comprehensive platform for not only securely and efficiently managing board meetings but setting processes in place that can be easily monitored and evaluated. Forty percent of the Fortune 1000 has already found Diligent to be the go-to platform for superior corporate governance.
Lack of expertise
The Harvard study found that, among all of the issues Directors faced, “risk and security issues were the challenge they mentioned most.” One solution that Diligent and others have proposed is to bring a cybersecurity expert onto the Board. While Boards have overflowing agendas to attend to, it is imperative to make time to improve the C-suite and the Board’s expertise in the area of cybersecurity. Short of bringing on a cyber expert Board member, regular training and perhaps a retreat dedicated to cybersecurity would be helpful. It is important to remember that a small amount of learning can generate the key to more learning – curiosity.
An important by-product of Diligent’s seamless, secure and efficient means of conducting Board meetings and promoting good corporate governance is that more time becomes available to both implement cybersecurity processes and expand cybersecurity expertise.