Boards of Directors are more involved than ever before in discussions and strategy around their companies’ cybersecurity and the solutions needed to prevent being the next big headline.
The questions they are asking are no longer as simple as “are we secure?” but more to the tune of “are we doing all we can to minimize or transfer risk, and what do we do in the case of a breach?”
Boards also want to know if there are scorecards that measure company security posture, whether the company is compliant with the most recent regulations, and if they have the security controls to demonstrate compliance.
This sea change also means Boards have new options: Do they act as change agents for cybersecurity? Do they get hands-on as decision makers? Is IT security so vital to the business that it should have direct representation on the board itself, as in a Security Director?
Many Boards have taken the first steps, for example requiring quarterly cybersecurity briefings – some being directly presented by the CISO or VP of Risk Management – rather than relying on the occasional or ad hoc updates. When it comes to actual board representation though, most companies subscribe to one of the following beliefs:
- “We don’t need a cyber expert on our board – we have a CISO/CIO and that is plenty.”
- “Cybersecurity is a reporting and risk management problem, so cyber belongs in the boardroom as an episodic reporting agenda item.”
- “We definitely need a representational cyber domain expert, but we don’t know what that person should look like, and/or don’t know where to find and recruit one.”
For many companies, the first two statements might be perfectly appropriate for now. In fact, most boards are opting to act as change agents, but (Read more...)
*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Thomas Bennett. Read the original post at: https://threatvector.cylance.com/en_us/home/does-my-board-of-directors-need-a-cybersecurity-board-member.html