You need cybersecurity expertise in your boardroom
Cybersecurity chops are necessary in the boardroom. Particularly with the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) compliance affecting companies of all sizes. One well-placed lawsuit, data breach or cyber attack can instantly bankrupt years of entrepreneurship. A diligent director takes this risk—and their fiduciary duty around it—seriously.
For companies whose boards don’t have a cybersecurity expert on their list of directors, it’s easy to fall into the trap of over-reliance on audits and compliance—instead of whether the company has done its due diligence in preventing a cyber breach, or protecting customer personally identifiable information (PII).
Here’s why you need cybersecurity expertise at the board level:
- Compliance is not the same thing as security.
Compliance was meant to be a floor, but functionally it has become a ceiling. Industry standard certifications and compliance frameworks (for example, HIPPA, PCI, ISO) are a bare minimum and intended to be generic. A framework can’t account for the nuances of company operations or environment; audits only look at a snapshot in time, not the ongoing state of your security. Let’s take a real-time example: your company could pass an audit for ISO-27001 compliance, but a day later a vulnerability could be left unaddressed and your company could suffer a breach or worse. Compliance is not the same as security. The most cyber-resilient organizations are those that treat compliance as a baseline and then build upward from there.
- Security is a culture, not just a function.
I too often hear “cybersecurity is the CISO’s job.” Sure, the CISO may have functional oversight but the information security team can’t practically micromanage every person’s behavior in the company. Every employee has to do their part, which might be as simple as following protocol (using unique passwords, segmenting work and personal on separate devices, avoiding emails from unknown senders). These small but important habits need to be built into your company culture. Build a culture where everyone views security as their responsibility, and you’ll mitigate 90% of your risk.
- Security is a business priority.
Just as finance and human resources must have a place in the boardroom, so too does cybersecurity; it’s a part of every decision and key measurement of business outcomes. Having a cybersecurity consultant occasionally advise the board results in patchwork strategy because that advisor is rarely in the day-to-day details enough to address what is an ongoing business risk. Seek at least one permanent board member with technical or security expertise. Delegating cybersecurity issues to the audit committee doesn’t do you much good unless you’re lucky enough to have a cybersecurity expert there who is fully engaged in steering the business.
- As a board member, you are a target.
The board of directors has access to some of the most sensitive information in the company. Yet, most board members use their personal emails and personal devices to communicate and share information. Your company may have a secure web portal for sharing documents, but did you access that portal with your personal device? The same device you use to browse Facebook, shop online, and check your personal email? That presents huge cross-infection exposure and, frankly, malicious threat actors expect executives and directors to do this.
Board members, you are a juicy target into the company and it’s your personal responsibility — and fiduciary duty — to not be the weak link for the company you serve.
When choosing someone with cybersecurity expertise for your board, look for these three qualities:
- They have information security, data security, or cybersecurity experience.
A computer science degree or network administrator experience does not indicate knowledge of information security and cybersecurity. Look for cybersecurity expertise rather than functional IT or software development skills.
- They have an understanding of the balance of business operations and cybersecurity.
Textbook knowledge of cybersecurity best practices is not useful unless it can be practically integrated with business objectives, then balanced with business considerations. Find someone who has implemented cybersecurity in cross-functional environments or non-technical teams, someone who can translate and explain cybersecurity risks to the executive and director level (not just to other technical experts).
- They have the ability to be a bridge for the internal cybersecurity team.
The internal team responsible for implementing the company’s cybersecurity program may not know how to articulate things at the board level. A good director will be able to frame cybersecurity questions and expectations in the context of business objectives like revenue, margin and customer satisfaction. This bridge allows the board to weigh risk and make effective decisions and set meaningful expectations and guidance for the operating team.
With a 27.4% increase in the average annual number of security breaches, and the average cost of malware attack spend being $2.4 million, not having an expert in the boardroom (especially in the days of CCPA and GDPR compliance) puts your company at risk. A smart decision early will help keep your customers, your employees, and your intellectual property safe.
This article “Compliance Is Not Security: Why You Need Cybersecurity Chops In The Boardroom” was originally posted on Forbes on August 15, 2019.