No business wants to be in the spotlight for not protecting sensitive data. Data breaches have become a much more visible issue to the public and it has become harder for companies to ignore. While some experts claim that the public is experiencing “data breach fatigue”, the reactions to data breaches from Equifax, Facebook, and Uber have proven otherwise. Corporate boards needs to cultivate strong cyber smart executives to address this problem.Corporate boards needs to cultivate strong cyber smart executives to address data breach fatigue. Click To Tweet
In the well known case with Facebook, the company attempted to claim the incident was not a data breach, but the terminology was not important. People were simply upset because they felt their privacy had been violated, no amount of PR could address that, a hashtag on Twitter even was circulating “#deletefacebook” which was trending worldwide at one point. Consumers are angry, and will make that known if the breach is close enough to home.
Cyber security is increasingly becoming a risk to business like any other risk that businesses have to mitigate. Investors have expressed concern and so to has the Security Exchange Commision. The market is signaling to companies a need to protect themselves against cyber threats.
Thankfully, board members have taken some notice of how cyber security impacts their businesses. The National Association of Corporate Directors (NACD) even developed a cyber security resource center. This may also be the result of SEC enforcement in recent years regarding cyber security. In February the SEC approved guidance for now required cyber security disclosures. As stated in the SEC’s statement on the guidance:
“Public companies must stay focused on these [cyber security] issues and take all required action to inform investors about material cyber security risks and incidents in a timely fashion.”
Corporate boards must take steps to allocate the same level of oversight and scrutiny to cyber security that they do to financials. Additionally executive managers who answer to the board must understand how proper cyber security is critical to the success of the business.
Best Practices for Board Members
From the NACD Guide to the SEC Resource Page many of the critical institutions and centers of information are making clear that cyber security is important. Here are some of the most important best practices to ensure the C-Suite is cultivated in a way that executives are cyber smart.
Clarify Board Level Responsibilities
Before boards can demand that the C-suite perform better in regards to cyber security, there needs to be some responsibility taken up first. Cyber security needs to be treated as a risk to the continuity of the business. In action this would be the board placing the responsibility of auditing the company for cyber security compliance and precautions into the hands of existing audit/risk committees. This is a start of course, for companies with more resources there should be a committee exclusively dedicated to cyber security lead by someone with expertise in cyber security. This committee would not just audit security technology but planning and processes as well. For example, the committee may look for: incident response plans, cyber insurance, insider threat program, vendor management programs, data flow charts, cyber security training plan, vulnerability reports, and much more.
With a board level duty and oversight responsibility there is a clear signal sent to the C-suite about how seriously board members are taking cyber security in the company.
Start With the CEO
The 2018 Guidance that was released in February has made it effectively clear that the “tone at the top” is to be watched for responsibility when it comes to cyber security.
One of the directives in the 2018 guidance is the executive certifications which focuses on the design and performance of controls, and requires that they integrate cyber security matters. The CEO is the top manager who is in charge of fulfilling the mission day to day. As a result the CEO must take complete charge of cyber security and integrate it across the entire organization. It should be as critical to business as financial risk mitigation is. There is a lot of work to be done and a lot of supportive material from both the public and private sector to help with this endeavor.
Board members must be sure that whoever is named CEO understands the importance of cyber security and is capable of meeting security demands in today’s environment. The SEC understand the importance of cyber security and will only become more assertive in their requirements. The board must make sure that the CEO understands the evolving risk area that is cyber security. If they do not, they are not qualified to be a modern CEO.
Reject Basic Assurances
Whenever the executive management team has something they have to report on you may hear things like “We have that covered” or “Our [executive manager] is taking charge of that.”
These statements are not acceptable when it comes to cyber security. Always probe deeper to understand the specifics when a CEO or another executive manager presents anything regarding cyber security. It is their responsibility to demonstrate they are in compliance with not just legal requirements but also expectations of all stakeholders of the business.
When questioning the executive management team be sure to ask questions about business continuity, incident response, insider threat monitoring, and most important demand progress reports. The executive team should be clear that there is now always going to be a sense of urgency to improve cyber security in everything that the business does.
In the end the board should be absolutely clear about what their responsibilities are when it comes to holding the corporate board accountable for developing a strong security program. CEOs are the main piece of the puzzle that must be cultivated in order to ensure the other executives are all on the same page when it comes to cyber security. The cyber threats will only grow in intensity which will prompt a stronger response from governments. Might as well be prepared now rather than later, when it may be too late.