One needn’t be a corporate secretary or other governance professional for long before being exposed to more than your share of buzzwords. Given the extent to which they become part of the local lexicon, and the frequency with which such buzzwords are overused in conversations and reports, some can become hackneyed. They may come to seem trite, and the associated messaging could lose much of any intended sense of significance.
That’s unlikely to be the case with terms such as cybersecurity especially in regards to the board’s involvement in organizational cybersecurity practices. By this point in time, the topic should have a standing place on your board’s calendar and work plans, as do internal and external audit, budget approvals, financial reviews and more.
The Board’s Concern Around Organizational Cybersecurity Practices
How concerned, though, should your board be around cybersecurity practices? I’d suggest that this is much like asking yourself how concerned the board should be about the organization’s budget, the extent and results of its internal and external audits and its financial reviews – and the processes involved with each of these critical indicators of the organization’s wellbeing.
More than a few people have reflected on the importance of good cybersecurity practices (cyber hygiene) in protecting an organization’s “crown jewels”. In this context, we’re talking about your organization’s mission-critical data –pieces of information that could severely and adversely impact the organization’s success if compromised. Your board should routinely review and confirm that it’s satisfied with management’s identification of the organization’s crown jewels, and the strategies and practices through which they’re protected.
It may be both disturbing and helpful to consider the results of PwC’s Digital Trust Insights, which represents the evolution of that firm’s former annual Global State of Information Security® Surveys (GSISS). With a focus on digital risk management, PwC’s inaugural Diligent Trust Insights report reflects surveys of 3,000 business leaders globally. The Fall 2018 report found that, while 80% of respondents with responsibility for communicating cyber and privacy risks to their boards said their companies had provided boards with a cyber risk management strategy, only 27% of respondents said they were very comfortable that the board was receiving adequate reporting on cyber and privacy risk management metrics.
How to Educate the Board Around Organizational Cybersecurity Practices
Challenges in such discussions can sometimes be twofold: not all directors will be familiar with terminology that’s everyday jargon for Chief Information Security Officers (CISOs) and their teams, and not all CISOs will have a handle on what directors need to know. If your board isn’t hearing directly from the CISO, that can compound the matter; the board may be reliant on reports or analyses as interpreted by a non-expert on the executive team. Herjavec Group CEO Robert Herjavec has offered three tips for cyber-related presentations in the boardroom, which boards could establish as expectations. These include a focus on “pain points”, provision of key performance indicators (KPIs), and statements that are backed up with statistics.
Herjavec suggests specifically addressing how an organization measures the maturity of its cybersecurity program, how the organization has closed any vulnerable gaps since the prior reporting cycle, where the organization is in terms of its security roadmap (and expanding on the status), and any compliance measures about which the board should be informed. Herjavec backs up his tips with access to a sample three-year security roadmap and a list of five KPIs.
When it comes to compliance, governance professionals can add value by heeding advice provided in PwC’s Digital Trust Insights report: “Focus more on identifying new and emerging legislation, rules and implementation guidance.”
As you might anticipate, being aware of and satisfied with KPIs, statistics and information on organizational practices does not represent the full extent of the board’s cyber concerns. The board should also acknowledge the risks its own practices can represent to the organization’s cybersecurity. That’s because directors, as well as those who support them, are – much like senior executives and their EAs – attractive targets for cyber criminals. Consider the scope and sensitivity of information communicated between you, your directors and senior management, and it’s unsurprising that you’re appealing prospects.
You’ll also want to consider the results of Forrester Consulting’s 2018 study, commissioned by Diligent Corporation. Forrester’s report reflects surveys of 411 governance professionals across 11 countries in North America, Europe and Asia Pacific. Forrester found that that 56% of board members use personal email to communicate with fellow directors and with contacts within the organizations they lead. The study found that 51% of C-level executives and 50% of governance professionals adopt the same approach.
The Board’s Involvement In Organizational Cybersecurity Practices
Such practices are no doubt well intended, but secure file sharing technology represents a superior approach. It also positions you, management and your directors to walk the cybersecurity walk.
Boards should be concerned, as well, about cybersecurity practices in the context of third party risks. In its 2016 global survey on Third Party Governance and Risk Management (TPGRM), Deloitte found that third party risk incidents were on the rise. Deloitte noted that 20.6% of respondents had “dealt with a situation where sensitive customer data has been breached through third parties and 10.3% have actually lost revenue.”
Gartner, Inc. explains that security rating services (SRS) provide independent, quantitative and continuous technical analysis and scoring “for public-facing digital assets of organizational entities across geographies”. Think of these security ratings, if you like, as the cybersecurity equivalent of a personal credit score or rating. SRS provider BitSight, notes that ratings are developed based on data in one of four broadly defined categories. These include breach events, compromised systems, user behavior and diligence.
In its 2018 post, “Innovation Insight for Security Rating Services”, Gartner published key SRS findings and recommendations, including one that SRS be incorporated “only as part of a comprehensive third-party risk management program” . These were provided in the context of a strategic planning assumption that, “By 2022, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships”. In March 2019, Gartner included SRS among its list of top 10 security projects for the year.
While board discussions of cybersecurity often focus on risk, new business opportunities may be had for organizations that perform well and achieve positive SRS assessments of their cybersecurity performance.
How concerned is your board around the organization’s cybersecurity practices, and how concerned should it be? An astute board may choose to establish cybersecurity expectations and oversight practices that parallel the high standards already applied to the organization’s financial planning and performance.