As corporations consider their cybersecurity weaknesses, the focus often falls on unsecured networks, outdated systems, or a lack of monitoring designed to detect attacks. One area that is rarely identified, but that can significantly threaten a corporation’s ability to prevent, manage, and respond to cyber attacks, is the cyber literacy of the corporation’s board.
Every board of directors is tasked with the responsibility of protecting their corporation’s complete risk profile. Cybersecurity has now become one of the most critical risk areas for every industry in every market around the globe. According to the Gartner Board of Directors Survey for 2022, 88 percent of boards report that they now see cybersecurity as a business risk, rather than a technology issue.
To be fully prepared to address potential vulnerabilities or incoming cyber threats, boards must be proficient in this mission-critical area. Failure to do so not only exposes their corporations to financial, operational, and reputational consequences, but it also carries the threat of exposing board members to personal liability.
The important work of educating leaders in the age of cyber attacks should prepare board members and senior leaders to answer these seven key questions.
Do we have experience with cyber attacks?
Developing an effective strategy for cybersecurity will benefit from past experience with cyber attacks. When a board lacks members who have overseen the development and implementation of cybersecurity systems, or have led an organization through an attack, they lack valuable knowledge. Board members with such experience will be invaluable in helping a board to properly understand the nature of risks and navigate any potential responses that might be required.
What is our risk tolerance?
Corporations become more vulnerable to cyber attacks as they push deeper into the realm of digitalization. According to McKinsey and Company, cyber attackers are taking advantage of the growing demand for “high-speed access to ubiquitous and large data sets” that is driving many businesses to expand their digital footprint.
Determining a corporation’s risk tolerance in this area will define how much digitalization is acceptable and what degree of security is required. Decisions regarding enlisting partners or third party vendors to manage and safeguard systems should be considered in light of a company’s risk tolerance. A higher risk tolerance can mean more resources will need to be committed to protecting an organization in the event of data breaches.
What is our cyber knowledge?
Hackers are constantly improving the sophistication of their attacks by leveraging the latest technology and adjusting to the latest security efforts. McKinsey reports that hackers in 2022 are applying tools including artificial intelligence and machine learning to increase the effectiveness of their attacks.
For board members to effectively respond to cyberthreats, they need to have a knowledge of the cyber landscape. This knowledge should include a general understanding of cyber attacks, such as the nature of phishing attacks and the ramifications of a distributed denial of service attack. Board members should also have a knowledge of the specifics that affect cyber security in the corporation that they serve. They should understand, for example, the corporation’s complete digital footprint, where it is most vulnerable, and the security systems that are in place.
Are we providing effective training to the appropriate people?
Ongoing training weaves the importance of cybersecurity into the corporate culture by communicating to personnel at all levels that they share a responsibility with the security department to detect, avoid, and report cyberattacks. To ensure training is effective, boards must certify that it goes beyond theoretical explanations of the dangers of cyberattacks to illustrate how they happen and how they can be avoided. A recent study reveals that the most common forms of cyberattacks, including phishing and social engineering, are among those least understood by employees.
How deep is our talent bench?
In addition to bringing the corporate will to implement effective cybersecurity systems, boards must assess whether or not the organization has the strength and depth to operate those systems. An experienced Chief Information Security Officer (CISO) is a key position in this area, but may not be sufficient. If that CISO leaves, what does the bench look like beyond that position? Depending on a corporation’s digital footprint, a security architect or cybersecurity engineer may also be necessary. The board should take the steps necessary to empower the organization to attract and retain these key positions, as competition for skilled talent in this area has grown considerably with the increased focus on corporate cybersecurity.
Do we have the necessary negotiating skills?
Ransomware is one of the more common and costly forms of cyberattacks that corporations face. These attacks involve breaching a company’s cyber security system, either to steal data or encrypt it, so that the company can no longer access it. The attackers then demand a ransom for safe return of the data. In cases where the data is sensitive, the attackers can threaten to release it to the public or sell it if the ransom is not paid. Statistics show nearly 2,700 ransomware attacks reported during 2021 with the average payment demanded by attackers exceeding $220,000.
While experts continue to debate whether corporations should pay the ransom demanded by such attacks, some form of negotiation will always be necessary. As a result, the board should make sure that the corporation has the necessary personnel in place to develop a negotiation strategy and carry it out. Involving those with a high emotional quotient (EQ) is important when preparing for negotiations. More important is involving those with a high crisis quotient (CQ), which is marked by the ability to stay focused on critical issues, identify and honestly express weaknesses and shortcomings, and remain engaged in processes that are psychologically taxing.
Always be Prepared: Attacks Can Happen at any Time
Most likely, a cyberattack will happen when you least expect it. Still, the growing body of data on how they happen, and why they happen, can provide insight on when they might happen or how they might play out.
Experts believe that attacks usually move through a series of predictable phases, beginning with the reconnaissance that hackers employ to identify an organization’s vulnerability and continuing until the attack brings some form of gain to the criminals. Boards serve their corporations well by understanding the phases of an attack and being prepared to lead through all of its phases.
Overall, corporate boards must be aware that the evolution of cybercrime demands a more coordinated company-wide approach to cybersecurity. Gartner predicts that developments in the field are leading to an environment in which today’s cybersecurity leaders will be poorly positioned to manage effective security on their own. Moving forward, the board that wants to serve well, will need to be capable of assessing and addressing cybersecurity concerns with a sophisticated degree of expertise.
Naveen Bhateja, the EVP and chief people officer at Medidata Solutions, leads all aspects of the company’s global human resources. As a member of the company’s senior leadership team, he is a business strategist and trusted advisor on how people strategies empower successful business outcomes.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply