Modern Governance

Cybersecurity is the responsibility of the board

This is where TagsText goes

The way Dido Harding has been held to account in the wake of the TalkTalk data breach - which is reported to have cost the company up to £80 million and 100,000 customers - has shown just how important it is that the overall responsibility for an organisation's security sits with the board, not just with the IT department.

In the UK, the Government's national cyber security strategy identifies security as a board level responsibility, citing the importance of improving cyber awareness and risk management among businesses.

Everyone in a business has a role in keeping the company secure. Security should run through a company's DNA. All applications and platforms should be built with security top of mind, and training given to employees so they understand the importance of things like password control, secure access to data, and so on. But it is the board that will set the example.

Board members deal daily with highly confidential information, making strategic decisions that impact, for example, share price and reputation. But it is often information shared with the board that poses the biggest security risk to the business. Board members routinely handle documents that set out the strategy of the business: M&A information, negotiation details, senior executive remuneration, and financial and customer data. And yet it is not uncommon for them to be excluded from day-to-day security rules, sitting above the rest of the organisation's standards.

It is still common for business-critical documents to be sent to board members over unsecured email, to be printed off at home and carried to meetings (often across international borders), or for paper packs to be couriered to them ahead of meetings.

The first step to mitigating risk is education. There should not be a board in the country who isn't concerned about the threat of a data leak or breach. If the board understands its role in securing the business, it will go some way to reducing the threat. It's good practice to have a security expert on the board, who can promote a culture of information security, and ensure that all board members practice good information security themselves. Security should be on the agenda regularly at board meetings. This will send a clear message to the rest of the business - security is a top priority.

Board level information should be subject to the same rigorous security checks as all other corporate data. It should never be shared on paper, but accessed digitally through a board portal - a platform that allows business information to be compiled, accessed and communicated to board members securely. Data can be encrypted (both in transit and at rest), and accessed with a digital key. Those keys should be controlled centrally, with a clear protocol for changing access rights if a password or device is lost or stolen. There should be clarity on and control over who has access to what level of information.

Security is one of the biggest concerns facing boards today. A breach has unlimited ability to damage a corporate reputation and its financial success. The process of securing a company should start right at the top.

About Charlie Horrell
Charlie Horrell is Managing Director for Europe, the Middle East and Africa at Diligent Corporation.

Charlie's career has focused on driving digital, technology and media businesses. He joined Diligent in January 2012 after five years as CEO of Packet Vision Limited, an advertising services company. Prior to that, he was COO of a €1 billion division of Thomson SA, the French media company, and CEO of IDP SA in Paris, a publicly listed French company. He also spent seven years with News Corporation, initially at BSkyB and then at Star TV in Hong Kong. During this period, Charlie headed business development and served as general manager of the first foreign media joint venture in China as well as deputy general manager of the Star Network. He has managed €1 billion corporate divisions, successfully formed joint ventures, raised venture capital and facilitated the sale of multiple companies during a career that has spanned the globe. Charlie began his career as an accountant with Arthur Andersen and holds a degree in Economics.