Cyberattacks have been top-of-mind for security professionals for many years, yet only within the last few years has a strong sense of urgency or escalation of the conversation gone beyond the IT side of the business.
Today, companies of all sizes in all industries are susceptible to cybersecurity incidents stemming from intentional or unintentional acts, and the costs and frequency of these incidents has surged. From business interruptions, lost revenue, ransom payments, remediation expenses, legal implications, cyber insurance, and damage to brand equity, cybersecurity incident costs jumped 13% between 2020 and 2022 – and that’s why we need to take the cybersecurity conversation to the board level.
In addition to costs, recent concerns like the Russia-Ukraine war and nation-state cyberattacks have also lifted the veil on cybersecurity, making its value much clearer to those overseeing business decisions. Most organizations agree that the board needs to focus on cybersecurity, but it’s still unclear what these conversations should look like. The risk has become too high and the consequences too great for cybersecurity to continue as a lower-level issue, and an SEC proposal may push companies to focus in.
Establish a board with cyber expertise
The “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” proposal by the SEC would require U.S. companies to periodically disclose their cybersecurity governance capabilities. This will make it necessary for boards to share oversight on cybersecurity issues, such as the number of board members with cybersecurity backgrounds, their training and expertise. This would allow investors to use the disclosures as an indication of an organization’s potential cyber risk. To stay on steady footing, it’s vital to find board members who have strong and recent cybersecurity experience.
As it stands, most U.S. public companies do not have cyber experience on their board. WSJ Pro Research found that only 1.9% of directors representing nearly 100 S&P 500 companies had professional cyber experience within the last 10 years. This shortfall speaks not only to how little this expertise has been valued by boards in the past, but also how much change must occur in the coming years, and soon.
All this being said, cyber risk, incident assessment, and cybersecurity management should not fall on one set of shoulders. Multiple board members should hold committee responsibility for cybersecurity oversight, advocating for, and overseeing cyber operations within a company.
Bring cybersecurity to the forefront of board conversation
Once established, it’s then the committee’s responsibility to bring cybersecurity into the forefront of every conversation, and there are two ways to drive this.
First, we need to contextualize cybersecurity risks for the rest of the board, answering very clearly why these decisions are critical to implement. IT security and cyber risks have often been engineering decisions rather than considered within the larger business decision realm because they are believed to be highly technical. Today, we must address decisions related to cybersecurity within the lens of business goals and objectives. Start by bringing cost into the equation, as the average data breach cost is now over $4.35 million.
Second, companies need to consider cybersecurity in every business decision, particularly when concerning new acquisitions, new suppliers, or new applications and tools that share data. These relationships introduce third-party risks, which are arguably the No. 1 cause of major cyberattacks. Additionally, when it comes to budget allowances, companies can’t underestimate the significance of a strong security posture. Introducing cybersecurity risk into every decision creates an added level of awareness, accountability and consequence consideration at the earliest possible stage.
Continue the conversation and achieve resilience
Companies need to connect cyber experts on the board to the cyber experts further down within an organization. This will ensure a continuous flow of information regarding the cyber landscape in both directions and create the visibility to help leaders understand and meet evolving needs.
Schedule regular periodic risk assessment events for organizations to act as essential benchmarks of an organization’s security posture, with results conveyed to board members for further analysis and action.
The sheer pervasiveness of cyberattacks should have cybersecurity registering as a heightened board priority. But to fully maximize resilience, make cybersecurity an actionable priority at the board level with strong cyber expertise advocates and cybersecurity considerations in all business decisions. Just as board members have vested interest in growth and innovation, so too get them vested in continually improving and strengthening the cybersecurity posture to match advancing threats.
Erwan Keraudy, co-founder and CEO, CybelAngel