Getting your board's buy-in on cybersecurity

You don't want your first discussion about cybersecurity with your company's board to happen post-breach

High-profile data breaches continue to make news, and you can bet that your board of directors has noticed. Breaches can result in huge remediation costs, litigation and lost revenues resulting from a damaged reputation. Board members pay attention to those things.

You don't want your first discussion about cybersecurity with your company's board of directors to happen post-breach. Start educating the board now. Explain the scope and components of a comprehensive security program, and be clear about how far your company's program falls short of optimal effectiveness. The board members need to understand that, at a minimum, a good cybersecurity program should include processes to manage patches, review logs, force secure passwords and train staff not to open emails from Nigerian princes. They probably also need to be educated about the policies and procedures that have to be put in place just to meet the security regulations and standards of legislation such as Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley and industry initiatives such as PCI and EMV. They need to know that you recognize the dangers of collecting and storing data that's subject to regulation and will do so only when there is no other option. And they need to see how the procedures controlling all these processes have been thoroughly documented and are regularly tested.

But those are just the basics. A truly comprehensive cybersecurity program involves much more, and you need to make your board aware of what those things are, so that it can assure that sufficient resources are allocated. Some of the things to consider undertaking and funding are these:

  • Certifying vendors. Your vendor's infrastructure may not be as secure as your own. According to the Senate Committee on Commerce, Science, and Transportation's March 2014 report, Target's HVAC company had access to Target's network and apparently did not follow accepted security practices. The report states, "The vendor's weak security allowed the attackers to gain a foothold in Target's network."Ideally, vendors should be restricted to a separate network and never allowed on the corporate network. However, this is frequently impractical for IT vendors. When a vendor needs access to your internal network, supply its staff with company computers running the same security tools found in the rest of your infrastructure.
  • Monitoring social media. Scammers sometimes accountjack LinkedIn and other social media. Recently, scammers created high-quality LinkedIn profiles for a large manufacturing company's entire executive team, none of whom were LinkedIn members. The scammers built a substantial network of industry executives before sending legitimate-looking messages containing malware. When the manufacturing executives discovered that malware had been sent under their names, they were disappointed in their IT security staff for not having prevented the problem. The security staff felt blindsided, since they had never envisioned (or been told) that it was their responsibility to check social media.
  • Establishing a cyber-risk board committee. Few boards regularly focus on cyber risk. Since the issue is relatively new, cyber risk and security often get lost between the gaps among the Audit Committee, the Risk Committee and the Governance Committee. If the board does not have a committee specifically addressing cyber issues, recommend that it create one.
  • Enforcing separation of duties. Good management controls demand that any process that allows access to money or critical data has appropriate checks and balances. Good ERPs facilitate appropriate separation. However, small companies or business units sometimes have to accept the risk, leaving themselves open to undetected theft.
  • Re-examining BYOD. While many employees appreciate the convenience of accessing needed data on their own devices, BYOD broadens the enterprise's cyber risks. IT can lock down company devices and wipe them remotely when lost, stolen or compromised. This is obviously impractical with employees' devices. Consider the trade-offs carefully.
  • Increasing staff engagement. Internal employees are responsible for many data breaches. Some are careless and inadvertently reveal information that enables a thief to gain access. Others embezzle or steal information for personal financial gain. Still others, including Edward Snowden, justify their actions as retaliation for their employer's real or imagined breaches of ethical behavior. Disgruntled employees are more likely to facilitate security breaches, while people who feel valued are less likely to abuse the company's trust. There are always people desperate enough to steal, but showing appreciation for staff is good for morale, security and business.
  • Updating insurance coverage. Corporate insurance policies frequently do not cover cybersecurity breaches without a separate rider. The department responsible for corporate insurance must review all insurance policies for cybersecurity coverage.

Most importantly, both IT and the board should not delude themselves that a breach won't happen to them. As Joseph Demarest, assistant director of the FBI's cyberdivision, said at a recent cybersecurity conference, "You're going to be hacked. Have a plan."

Bart Perkins is managing partner at Louisville, Ky.-based Leverage Partners Inc., which helps organizations invest well in IT. Contact him at

Join the CSO newsletter!

Error: Please check your email address.

Tags TargetsecurityLeverage PartnersLinkedInfbi

More about FBIInc.Transportation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bart Perkins

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place