#HowTo: Make Security a Board Level Discussion

People and data are the lifeblood of all organizations, and ensuring their protection is inevitably a top priority for all businesses. But the job isn’t getting any easier.

In 2021, the number of data breaches climbed 68% to 1862, costing an average of $4.24m for each breach, making the risk very real. Not only do businesses face financial losses, but a significant breach can break the trust in the brand, damaging market confidence.

Typically, cyber-attackers aim to compromise and exploit an organization’s network. This can be achieved in numerous ways, including targeting employees via social engineering and phishing campaigns – including a recent attack whereby employees across all levels were manipulated into providing personal information to attackers masquerading as IT staff, as they obtained highly sensitive information. Evolving tactics and increasing cybersecurity awareness of such attacks must, therefore, be included from top to bottom across the workforce.

The well-documented risks presented by such attacks are reflected in the fact that 88% of board directors view cybersecurity as a clear business risk versus a technology risk. Despite this, only 12% have a dedicated board-level cybersecurity committee.

Such attacks serve as a poignant reminder that security is, first and foremost, a business risk for the boardroom. By engaging in collaborative discussions to demonstrate the business value and benefits that security-resilience-privacy by design has, a greater understanding can be developed. It is crucial for businesses to show the overall importance that safety and reliability in their products and services have in engendering trust.

Setting the Agenda 

Over the last two years, organizations grappled with the effects of the ‘Great Reshuffle’ as many re-evaluated how and where they work. In fact, recent data shows that 43% of employees are likely to consider changing jobs in the year ahead.

Many transitioning employees will be part of the growing hybrid workforce, which has introduced great possibilities but also some risks. For instance, bring your own device (BYOD) enables the ‘anywhere office,’ but businesses need to ensure such devices are built with security and privacy measures in mind, not bolted on, to ensure data is safe.   

While the benefits and scalability of the cloud is great for businesses, the reality is that migrating entirely may not be feasible for some systems and data. As such, operating a mix of on-prem, cloud and operational environments is common, and the challenge is managing and securing the different environments end to end.

For CISOs, reducing complexity and gaining more visibility is key, simplifying wherever possible to use a comprehensive solution to help protect the entire digital estate. Maintaining privacy is also vital for businesses, who have a duty of care since, in some instances, they are custodians of people’s data, whether employees, customers or both. Underpinning this will be expectations placed upon them to have appropriate controls to protect data, with a plan in place to manage a breach, should one occur.

Cybersecurity is a Team Sport

Board members do not need to become cybersecurity experts to help their companies prepare. But by collectively sharing and collaborating across industries to raise awareness at the board level, they can envisage not just the risk but the opportunities too.

Establishing clear, consistent communication to share useful and objective metrics for information, systems controls and human behaviors is a good start. The gap between the board-level members and cybersecurity professionals can be narrowed by focusing on common goals, keeping the organization safe and ensuring operational resilience.

Cybersecurity must be relatable at all levels and talked about in an inclusive language that will resonate with the audience. For instance, what tailored information or skills do HR and marketing need to know? How can we change the language to stop thinking of cybersecurity as a cost center or a problem to be fixed and turn it into something people will care about and get behind in their daily roles? Addressing such questions will make cybersecurity more applicable to varying levels and sectors, ultimately increasing security.

Tackling the ever-changing cybersecurity threat in an agile and proactive way requires influential members of the whole business to work together. By collectively taking responsibility for security and privacy, every person has a role to play and understands how they are contributing to reducing risk, modelling the right behaviors and outcomes.

What’s Hot on Infosecurity Magazine?