Board members that help advise an organization to execute a cybersecurity transformation may encounter obstacles, similar to a board's oversight on other major change initiatives. These common challenges, if not addressed at the board level, can derail the organization’s time-to-value on cyber-related efforts.
Many common challenges that organizations face in influencing an organization through cybersecurity transformational change can be navigated through minimal changes in training, education, and oversight processes with responsibilities spread across the board of directors.
1. Scarcity of board-level cyber expertise
Many boards lack experience in cybersecurity as members traditionally can come from nontechnical backgrounds. This makes oversight and engagement on cyber-related matters difficult, particularly with understanding related risks and making recommendations.
Truly grasping organizational cybersecurity involves a combination of:
- Understanding the organization’s cybersecurity strategy and cyber threat landscape.
- Understanding the cyber-related shortcomings and vulnerabilities of the organization.
- Having a clear baseline for assessing dynamically changing external threats.
Dedicated, focused time with the CISO/CIO/CRO and other executives involved in cyber-related initiatives can provide a large portion of this knowledge. Content providing a full picture of the cybersecurity strategy and gaps in the organization is especially useful when presented with a relatable focus on enterprise risk, severity, and loss.
While briefings from the CISO provide great insight into cyber topics, there is no substitute for impartial, external expertise. Board-based training and certifications on cyber subjects create a strong baseline for understanding security concepts. Staying current with independent news sources that cover cybersecurity issues will also foster a better understanding of the space.
2. Limited understanding of the complex cyber threat landscape
The cyber threat landscape is constantly evolving, and it is difficult for boards to keep up with the latest threats and trends. The reality is that your organization has to continually improve its cyber risk practices and monitoring in order to truly manage both the cyber risk and overall risk impacts to the organization. Board members need to have a high level of confidence in how their organization adapts to changes in the cyber threat landscape.
Set expectations with the CISO that they need to be clear on where vulnerabilities exist and the efforts required to reduce risks for the organization. This will aid in getting the appropriate executive-peer support required to make changes. It is more likely the executive team will rally attention on a cyber threat that has clear and specific business impacts. Board members have been able to influence improvements in how the organization is prioritizing the cyber risk transformation efforts by bringing the required urgency and focus to the full board and executive team. This in turn leads to solving for the biggest known cyber threats, which are typically raised by the CISO.
3. Limited board resources to focus on cybersecurity
Directors may find it difficult to devote time and focus to cybersecurity discussions. This makes it challenging for other leadership to encourage an organizational focus on comprehensive cybersecurity measures.
However, the potential damage a successful cyberattack can inflict warrants security issues becoming a regular topic of boardroom discussions. These talks should include recurring updates from audit and risk subcommittees (or equivalent groups). Not having a consistent method to understand the current state of cyber in the organization is extremely risky, given the all-encompassing impacts a cyber event can have on business operations, financial stability, and brand reputation.
To maximize the effectiveness of cyber updates, set expectations that reports presented to the board focus on the most critical issues. Updates should cover the following points:
Board members in the audit and risk committees should bring attention to the cybersecurity risks and needs of the organization by informing the broader board of directors. For example, is the board confident the organization is financially prepared for the repercussions of a cyber incident? Are the major business innovation and growth initiatives reviewed for potential cybersecurity risks? A board can properly incorporate cyber awareness into their processes by setting a standard for how and which cyber-related updates are provided. Setting a strong expectation for cyber risk considerations being part of committee reports ensures the topic is interwoven into all other conversations that come before the board.
4. Lack of full visibility into the effectiveness of their organization’s cybersecurity
No board can have full visibility into the effectiveness of their organization’s cybersecurity. You can get better visibility through regular interaction with the CISO and eliciting external assessments. Having your CISO present the ins and outs of organizational cybersecurity processes will provide additional confidence in the current state and future of initiatives.
Also, take time to check in with your CISO and have them explain where they are putting their focus. Over half (51%) of cybersecurity professionals are kept up at night by the stress of the job and work challenges. A CISO fully focused on blocking and tackling efforts, moving from threat to threat, gap to gap, may never see the “birds-eye” view of the organization's cyber position. As a board member, encouraging the organization to take the time to conduct a true cyber risk posture assessment has served as a best practice for many to uncover new challenges and reformulate the current cyber risk as it relates to enterprise risk.
5. Minimal understanding of third-party risks
The risks involved with third-party individuals, vendors, and partners can be easily overlooked or even mistakenly placed into a lower-risk category when creating the current and future cyber view.
Many organizations rely on third parties for critical services. It can be challenging for boards to inject proper oversight on the cybersecurity risks associated with these relationships. Outside parties represent one of the greatest cyber threat exploitations to your organization, mostly beyond your control. A major cyberattack on a third party can take down an entire ecosystem of interconnected organizations, as was the case in the highly-publicized SolarWinds hack.
Third-party risks encompass any outside individual or organization that has access to the technology systems and connected equipment of your organization. While you cannot trust another organization’s cyber posture, you can limit the access vendors have to your infrastructure. By controlling vendor’s access to your information and systems, you can prevent bad actors from infiltrating your organization through third parties. This concept is a foundational aspect of a zero trust strategy.
Make it a point to inquire about and encourage conversations on third-party risk during board updates. While going through any type of organizational transformation, discover which third-party risks need to be addressed, and take steps to protect your organization.
6. Complexities in navigating legal and regulatory cyber expectations
It is difficult for boards to oversee cybersecurity initiatives due to the complex legal and regulatory landscape related to the field. Understanding your legal responsibilities under national and local regulations is important. This should include knowing the scope of the board's day-to-day responsibilities under normal conditions and during a major cyber event.
You will manage the cyber regulatory environment better if executives and the internal and external legal council regularly update the board on their legal obligations. As a director, your broad oversight will be vital for ensuring the organization identifies and addresses relevant cybersecurity and legal considerations. Cyber risk transformation can be daunting, and serious problems may arise if these legal and regulatory obligations are not met during the journey.
A best practice for board members is to clearly understand who owns the cyber risk in the organization, and ensure it is not the sole responsibility of the CISO. Cyber risk is so critical that ultimately the CEO carries the responsibility. They can then delegate tasks to the CISO, CIO, CRO, and other members of the executive team.
Organizations that divide cyber risk management responsibilities keep the overall risks more at the forefront, keep accountability with cyber transformation, and place importance on stronger management oversight. Cultivate cyber awareness throughout the executive team so they can drive a top-down promotion of cybersecurity thinking to each organizational silo. This will go a long way toward improving your resilience to cyberattacks and minimizing the related business risks.
In summary:
- Boards often lack cybersecurity expertise, making oversight difficult. Focused training and independent sources can build knowledge.
- The threat landscape evolves rapidly. Boards need confidence the organization adapts to new threats. Updates should focus on critical issues.
- Cybersecurity should be a regular boardroom topic. Audit/risk committees should inform the board of cyber risks.
- Boards can validate their understanding of cyber risk through regular assessments. Check in with the CISO on focus areas.
- Organizations must manage third-party risk. Boards can seek to understand the legal obligations of cyber risk and ensure risks are addressed broadly across the organization.
This is part four of a series of posts dedicated to helping CXOs and boards address cyber risk. The next installment will cover essential metrics used to measure improvement.
What to read next