We recently blogged about how you can speak the language of the board to drive a comprehensive cybersecurity strategy. It turns out the situation between IT and the board is worse than we thought. According to a recent PricewaterhouseCoopers report – which interviewed more than 6,000 people in 115 countries – only 37 percent of organizations surveyed have a cybersecurity response plan in place.
The report stated that the lack of preparation comes from the top because “many boards are not sufficiently proactive regarding cyber threats, and generally do not understand their organization’s digital footprint well enough to properly assess the risks”.
This may come from the perception that cybersecurity is a problem that solely sits in the IT department. IT security staff is expected to deal with outcomes of cyberattacks 75 percent of the time. It’s clear that IT teams are being set up to fail in a game where everyone loses.
One of the key themes of the report is that organizations should take cybercrime as seriously as any other risk it might face. Here are four ways you can tactically involve your board as an integral part of your company’s cybersecurity strategy:
- Assess cybersecurity program costs. Understanding the potential financial impact of a cyberattack can help your organization identify the proper level of investment. Make the board understand your rationale for investing and allocating resources to monitor cyber risks, safeguard data, and quickly contain breaches should they occur.
- Develop board-level metrics and benchmarking. Boards need useful metrics and analytics to gauge whether the organization is managing cyber risk at an acceptable level. Develop a dashboard to identify the parts of the business with the greatest and least amounts of cyber exposure as well as the initiatives in place to mitigate risks.
- Participate in war-gaming exercises. Cyberattack simulations can help identify vulnerabilities and gaps in preparedness, improving the ability of management teams to make decisions under stress. Involve relevant board members so they can truly see the potential impacts of a cyberattack. Make it real for them.
- Determine the voice of the organization during a cyber incident. In a crisis, a quick response is essential. Management is often the first voice of the organization. With that said, crisis plans should consider the board’s role and where it might be appropriate for the board to be a voice in the dialogue with stakeholders, particularly shareholders.
As you deliver greater understanding of the importance cybersecurity has for the company’s survival, the board’s role should evolve. Throughout this journey, it’s vital to have a strong dialogue with senior management and forge a true partnership so that everyone has a stake in the company’s cybersecurity posture. For IT management, this is your chance to ensure your teams aren’t being hung out to dry. You must have top-level support in order to have the buy-in – and monetary investment – necessary to safeguard your organization from cyber risks.
We can help enable your strategy: Building on 20 years in cybersecurity, US Cyber Vault protects against threats, provides a secure data storage and computing environment, and is supported by an incident response team of intelligence experts. Request a free trial today.
Written by Rob LaMear, CEO, US Cyber Vault
Once a month we share where we will be speaking in the world as well as expert opinions on cyber security, data loss prevention, and information security that we like from the larger community. Receive our next issue by signing up here.