Improving the Boardroom Cybersecurity Disconnect

Nicholas J Price
5 min read
Cybersecurity is significant because it offers protection for a wide range of issues, including our rights, privacy and freedom. Cybersecurity also has the potential to affect our physical safety. In addition, vital infrastructures are becoming increasingly vulnerable to digital attacks and data breaches. Despite numerous articles coming forth on the issues, many boards feel somewhat crippled on how to address the issue. The fact that cybersecurity issues are becoming bigger and more frequent calls even more attention to the need to improve the boardroom cybersecurity disconnect.

At every level of business and government, cybersecurity is a growing issue in both the private and public sectors. CISOs and their relationships with board directors play an instrumental role in helping to keep ahead of cybersecurity issues. Boards that fail to give the issue of cybersecurity the importance that it demands may be risking having a major deal fall through at some point in the future.

The Strength of Cybersecurity Affects a Company's Value

The strength or weakness of each company's cybersecurity program, as well as how they manage it, has a strong bearing on the company's value. Cybersecurity programs are increasingly being considered during due diligence for mergers and acquisitions. Many companies are checking for cybersecurity audits as part of due diligence for acquisitions. Many companies that are seeking acquisitions are requiring that the company has an existing CISO. More importantly, they're looking for proof that the CISO is effective in their position.

A recent (ISC)2 survey of 250 merger and acquisition experts in the United States indicated that 96% of cybersecurity experts considered a company's readiness for cybersecurity in their due diligence calculations. Cybersecurity experts that were polled in the survey agreed that companies seeking acquisitions should assess cybersecurity practices as a standard course of practice. Most companies will consider prevention and remediation efforts in making their final decisions. There is no argument that a strong cybersecurity program is considered an asset, while a weak program is considered a liability. To put forth their best presence, boards must be able to communicate their cybersecurity practices well to acquiring companies to maximize their company's value.

What Does the Current Cybersecurity Landscape Look Like?

Statistics help to give us a more realistic picture of the cybersecurity landscape as it is in the real world. That said, about 77% of Fortune 500 companies don't have any indication on their company websites about who manages their cybersecurity strategies. Of those same companies, 52% don't have any content on their websites about how they approach protecting their customers' and partners' data beyond the legally mandated privacy notice.

Around 38% of the 2019 Fortune 500 companies don't even have a CISO. Of that percentage, only 16% assigned another executive to be responsible for their cybersecurity strategy ' an individual such as the vice president of security. Only 4% of the companies of the 62% that have CISOs list that person on their company leadership pages.

The Relationship Between the CISO and the Board

The role of the CISO includes being able to analyze, formulate and mitigate information security risks. They also need to be able to forge alliances and partnerships and support the business operations team. The CISO position is new enough that it's not always easy to define or navigate the relationship with board directors. Many boards simply don't have enough expertise in cybersecurity matters to have a good grasp on them. Boards' lack of experience with cybersecurity makes it difficult for CISOs to convey the necessary amount of urgency they need to take on this topic.

It takes the right kind of education to help boards understand the types of threats, how serious they are and the risk they pose to the company. The CISO's role in educating the board about cybersecurity is necessary so that they allocate enough funds in the budget for it.

One approach that is often successful in bringing the two sides together is to relate the dangers of cyber risk to those of other kinds of risks. It's often insightful for CISOs to use tools such as heat maps to drive home the seriousness of cybersecurity. Among the issues that CISOs need to discuss with boards are identifying potential cyber risks and knowing where the board can best invest its money, programs, strategies and people.

It's essential for boards to dedicate some of their board meeting agenda time to discussing cybersecurity. It's important for boards to discuss the lack of response on their part to the consequences of a data breach, which may cause customers to seek new suppliers. This would have a snowball effect that would result in lack of trust in the company, possible business decline and reputational damage where a company may not be able to recover well or at all.

CISOs can also be instrumental in providing data on the cost of just one data breach. According to the IBM-Ponemon study, the average cost of a data breach is $3.86 million. In cases that were determined to fall into the category of 'mega-breaches,' which resulted in the loss of 1 million to 50 million records, the total cost of the breaches ran anywhere between $40 million and $350 million. These types of cases should stand as strong data that can be instrumental in helping boards grasp the magnitude of the current and future potential for cyber threats. Among other topics, boards and CISOs have plenty of fodder for discussion, including possible defenses, tracking irregularities in who can access systems, and whether their current cybersecurity plan is strong enough.

Looking Toward the Future of Cybersecurity Protection

Boards also need to protect themselves, their documents, and their communications and collaborations on their board activities as the first line of defense in cybersecurity protection. The best way to do that is to implement a board portal system by Diligent Corporation, an industry leader in board management software systems. With a feature for granular permissions, boards can be sure that only authorized users are accessing the system. Diligent Boards, along with other digital solutions, are fully integrated and highly secure because they function within the safety of Diligent's platform.