Due to the today's rapid expansion of digitalization and remote working models today, organizations have started to experience an increase in security breaches. Moreover, while preventing cyber-attacks was the task of the network security teams, now the boards of directors are considered as the guardian of corporate data and is held responsible for it.
For this reason, boards of directors should not only put cyber security on their agenda, but also periodically implement cyber security strategies in coordination with corporate leadership. This raises that question in many organizations: What steps can (or should) the board take to protect the company, as well as to minimize damage in the event of a breach?
Deloitte's report, “The Changing Role of the Board in Cybersecurity,” addresses such questions and highlights the importance of a top-down approach in developing organizations that are safer and more resilient. We have compiled five questions for you that companies and boards can consider to develop a more robust attitude in terms of cybersecurity, due to the increase in potential attack surfaces in distributed and remote environments.
Is there a holistic approach to addressing cyberspace issues?
Analysis of cyber attacks reveals that it is not only technology breaches that lead to security incidents, but also the abuse of rightminded employees who are not properly prepared for attacks. A holistic approach to cybersecurity requires the active participation of some parties, in addition to the use of appropriate technologies and controls. This includes making every individual in the organization responsible for cyber security and ensuring that they have basic awareness and response techniques for threats.
What are the “precious metals” we need to protect? Do boards review them and make necessary changes?
There will always be loopholes in cybersecurity controls as organizations operate in a digital world and threats from adversaries evolve. Therefore, companies need to identify some key assets or “precious metals” and classify them according to their significance. These classifications affect the organization's cyber strategy and help boards evaluate risks that are acceptable, mitigable, or transferable.
Are cyber risk responsibilities well defined at board or management level? Has a strong emergency plan been developed to deal with a cyber breach and the changing risk environment?
The development of cyber risks requires interest and attention at many levels, from board and senior management to internal audit, risk management and cyber teams. While the board is responsible for ensuring that cyber strategies are formed and then implemented by leaders, companies need to provide feedback to their boards on the results of these strategies. In addition, it is important for boards to follow the agenda on changing cyber security models. For instance, it may be advantageous to switch from the inadequate castle-and-moat approach to safer methods, such as the more effective zero-trust model. This enables companies to deal with more complex attacks and make informed decisions in real time.
Is there a strategy to follow for identifying the various cybersecurity capabilities and hiring those who have them?
Updates and changes in the regulatory, legal and compliance environment, and business processes have also increased the skills modern cyber teams must have. There is a serious workforce deficit in cybersecurity. An (ISC)2 study conducted in 2020 estimated over 3 million open positions. It does not seem possible for organizations to close such a large gap automatically or using outsourcing. In this case, they need to form a multi-faceted cyber culture that will attract and retain professionals. Boards can actively embrace and support a more cohesive effort to recruit people with various talents, thereby benefiting from their unique perspectives.
Has management considered risk in its cyber strategy with third parties, including outsourced IT, cloud service providers, and other partners?
As cyber threats become more complex and common, it is of great benefit to businesses to have proactive security mechanisms across the entire organizational ecosystem, including business partners, contractors, and other suppliers, and to ensure that these third parties have a cybersecurity system at an appropriate level.
Organizations that adopt and implement a proactive and top-down cybersecurity approach can reduce risk and gain competitive advantage. Preparing a successful cybersecurity culture is one of the top priorities of boards today. Now, thanks to robust cyber monitoring, companies can foresee innovations and the scenarios that await them, and act confidently in this direction.