Companies have much to look forward to in 2019, including continuing the fight against cybercriminals. Among the board’s other goals, boards should be adding cybersecurity preparedness to their list of objectives. Cybersecurity is an issue that affects corporations and nonprofits alike. As technology creates newer and better ways of doing business, it’s also creating new ways for hackers to set them back.
Cybersecurity experts are becoming in high demand as organizations of all types understand that they’re at as much risk as any other organization. Best practices continue to develop in the area of cybersecurity, but this shouldn’t be an excuse for not taking action now. The majority of board directors admit that they’re not nearly as knowledgeable about cybersecurity as they should be.
Boards that choose not to take action may be legally required to take stronger action in the very near future. U.S. Senators Jack Reed and Susan Collins introduced the Cybersecurity Disclosure Act in 2015. If the bill had passed, it would have required publicly traded companies to have at least one cybersecurity expert on their boards. The bill didn’t move forward, but it remains on Congress’s radar. It was reintroduced in 2017, and again in 2019 as Bill S592.
Board-Level Cybersecurity Experts in High Demand
Because some boards are unsure of the direction they need to take regarding cybersecurity, they sometimes choose a CIO who has high visibility and a strong reputation for IT expertise. The CIO position is a fairly new position that few companies have chosen to add. Cybersecurity issues are just one of many risks that boards need to manage.
One approach that boards can take is to try harder to educate the board about cybersecurity risks. Many boards acknowledge that they’re getting information on cybersecurity, but it’s too technical for them to understand it well. Osterman Research, Inc. sponsored a survey in 2016 that showed that 30% of board members didn’t understand what their IT departments were telling them and 54% agreed that the information they received was far too technical to understand.
Boards need a cybersecurity expert who can explain complicated technical terms and processes to them in ways they can comprehend it.
What to Look for in a Cybersecurity Expert
If you challenged any board member about what each member of the C-suite does, they would most likely be able to explain it in detail — with one exception. When it comes to the CIO or CISO, the explanation may be sketchy at best. That’s one of the biggest deficits for most board members. They really don’t understand the job of the CIO or CISO.
The board retains the ultimate responsibility if there is a cybersecurity incident, so it’s vital that all board directors have a solid understanding of cybersecurity risks. It can take years to recover financially from a cyber breach, even when a company invests in robust cyber defenses. Board directors need assurance that their security teams have the proper capabilities to mitigate risks and have a solid response plan in the event of a breach.
According to the 2019 Gartner report, they’re forecasting that companies will experience an 8.7% growth in spending for cybersecurity, which equates to about $124 billion a year. Risks of cyberattacks are strong enough that boards can’t afford to rest on their laurels.
Boards are using various approaches to obtaining cybersecurity expertise. Boards may fill the role by employing a cybersecurity expert, cybersecurity observer or cybersecurity advisor on the board. Companies that are large enough may hire a CIO or CISO.
Essentially, boards need someone who understands the requirements for robust cybersecurity defenses and who can confidently coach the board on how to prevent a breach and assist them in developing an appropriate response plan.
One of the mistakes that some boards make is giving the responsibility for cybersecurity to an expert who favors an automated approach. Because of the unsavory approach that hackers take, cybersecurity experts need to take a manual approach to stay ahead of the hackers’ game.
Boards will know that they have the right cybersecurity expert when they’re able to talk about how automation works more in favor of the hacker than of the company. Hackers work all hours of the day and night, sending off viruses and scams, just hoping that an unsuspecting employee or board director will open a virus-filled link or email.
Boards will know that their cybersecurity expert is doing a good job when they talk about the profile of a hacker. They’re well-organized groups or individuals who aren’t “rules people.” They look for hard-to-find deficits and weaknesses, and they know what type of rewards will hurt a company the most, including money, espionage, intellectual property and private data. Cyber experts who stay up to date on trends will know that cybercriminals use automation by sending off repeated attacks, delivering malware, stealing accounts and finding the one weak entry point.
A good fit for a cybersecurity expert will be able to tell the board what resources he or she needs to do the job properly. They’ll be knowledgeable about the initial signs of an attack and they’ll be confident in when the company needs to respond. Today’s cyber experts use machine learning to adapt to changes in hacking strategies. Most of all, they’ll be able to help create a culture of cybersecurity throughout the company.
Using Technology to Fight Risks Caused by Technology
There’s no question that cyber threats will remain challenging in the coming years. Diligent Boards is a highly secure board portal where boards can work with their IT staff and cybersecurity expert on how to use other technologies, like machine learning, to fend off dangerous cybercriminal activity. The board portal is a safe place where boards can work with cyber experts on how best to protect the company, create a culture of cyber-awareness, and formulate a solid response plan if cyber attackers are able to find a weak spot in the company’s network.