Is the board's involvement in cybersecurity really that critical?

It’s often repeated that board involvement is crucial for cybersecurity success, but is this true?

Business IT, and information security leaders alike repeat it all of the time: cybersecurity is a board-level issue. Assuming that’s true, and many organizations believe it is, what can the board of directors actually do when it comes to improving cybersecurity efforts?

Most experts agree that one of the most important things boards can do is to set the security tone for the organization. (Also read "Six reasons why boards of director must be engaged in cybersecurity".)

“The board of directors, led by the CEO, should lead collaboration and security awareness across the enterprise,” says Steve Durbin, managing director at the Information Security Forum. "Senior executives understand that the global economy is still not adequately protected against cyberattacks, despite years of effort and annual spending in the billions.”

In discussions with security managers and CSOs across the country, they emphasized that it is crucial for the board to lead cybersecurity efforts. “The board can help the security team to focus on what matters the most to the business,” says Jay Leek, senior vice president and chief information security officer at Blackstone. “It can set the tone to make sure the organization takes security as seriously as it needs to be and that the required resources are available.”

When the board of directors or top executives are in sync with the efforts of information security teams, policies are developed and assets prioritized to be secured in ways that will best insulate the organization from attack. Otherwise, security becomes too focused on regulatory compliance, and passing the tests of regulators become the objective, rather than blocking and responding to adversaries and successful attacks.

LLoyd Marino, CEO of strategy and application development firm Avetta Global

“Because cybersecurity affects the entire organization, it should, without a doubt, require board oversight,” says LLoyd Marino, CEO of strategy and application development firm Avetta Global. “[Yet], while most IT departments and possibly security audit committees are up to speed on risk and risk assessments, most are not concerned with the business vision and matters of innovation, competitiveness, and strategy, all of which are crucial to operational technology and security oversight.”

That creates a disconnect between the actual threats that enterprises face and their ability to meet those risks, explains Monzy Merza, chief security evangelist at Splunk. “Well-intentioned policymakers develop policies to enable organizations to protect themselves,” says Merza, “but implementing policies without focus on critical assets and business requirements only manages to pass audits, rather than stop attackers.”

When it comes to such cybersecurity and risk management decisions, especially when determining the organization’s risk appetite, senior management, the board, and the CEO are the only ones in positions to be able to make that determination, most agree. “Cybersecurity is not one-size-fits-all and is very dependent on the type of organization and the level of risk the organization is willing to accept,” says Eric Cole, fellow and cyber defense lead at the SANS Institute. “All organizations must accept some level of risk and that can only be decided by the board being actively involved in understanding and approving the high level strategic security goals for the organization.”

That high-level strategic insight also is critical when the enterprise is moving to enter new markets, or using new technology. This could include new lines of business, entering into new geographies, or such things as the increased use of mobile, extending its IT out to the IoT, and expanding the use of cloud to more critical data and business processes. When engaging in such initiatives, boards are going to need to understand the data security, data privacy, and regulatory implications of these moves. Likewise, CSOs and security managers will need to know how to implement security controls to meet that level of risk acceptance.

In the years ahead, this may be more crucial than ever because enterprises are expected to increase their investment in mobile and wearable technologies and apps, hybrid cloud architectures, the Internet of Things, and become even more global in the number of markets where they compete.

It’s essential that boards and top executives be involved in these discussions and know how their organization’s cybersecurity efforts are impacted by these efforts – and the importance of these discussions can’t be overstated. “It is actually understated because most boards misunderstand security and therefore are misaligned with how security is implemented within an organization,” says Cole. “If after a breach the board fires the CISO or whoever was responsible for security, it is really saying that they were not involved in security.”

Join the CSO newsletter!

Error: Please check your email address.

More about CSOPayPalSANS InstituteSplunk

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place