Getting the board on board with cyber security

July 11, 2017

EXECUTIVE SUMMARY:

A recent spate of high-profile ransomware attacks–not to mention the ongoing data breaches–has raised the stakes for those at the helm of their organizations. Security is no longer just an IT concern. Leadership on up to the Board should have security top of mind because of the risk associated with a company’s overall health.

Understanding the implications and potential fallout of cyber security issues is critical. Communicating with the Board and creating a plan that engages members in cyber strategy are keys to that success.

Read the full story….

For many, October is about disguises, tricks, and scary things. Maybe that’s why it became the designated month for National Cyber Security Awareness Month. And while the FBI reminds us that security is everyone’s responsibility, it’s the c-suite in the hot seat when it comes down to it. But as the stakes are raised, the board of directors must also be involved.

Organizations are finally recognizing that a data breach is not just a possibility, it’s a pending reality. This has given rise to organizations coming together as a unified front, as awareness grows, that technology has created a world of interconnected tendrils; one incident can have major and far-reaching repercussions.

For instance in the past year, a consortium of security-minded businesses formed to unite in the war against cybercrime. Similarly, last year CNBC teamed up with The Aspen Institute and MIT to hold the Cambridge Cyber Summit. The conference brought together academics and leaders from business, law enforcement and government. And, the G7, the international group of nations that includes United States, Canada, France, Germany, Italy, Japan, and the United Kingdom, set standardized guidelines to address cybercrime.

Why Should the Board Care?

In the past, a cyberattack might have been viewed as a standalone incident. But as the number of breaches has spiked and the damages compounded, the landscape has changed.

When an organization is attacked, the cleanup is extremely time consuming and expensive. The average cost of a data breach is now $3.6 million, according the IBM/Ponemon Cost of Data Breach Study. The report also estimates the recurrence of a material data breach at almost 28 percent in the next two years.

Beyond business costs, there are plenty of other reasons the board should care, as a Deloitte CFO Insights report highlights: Operational downtime, loss of customer trust, loss of intellectual property, and brand damage, are just some of the consequences.

Cyber security issues can also have a severe impact on the valuation of a company or cause a merger or acquisition (M&A) to go off the rails. In fact, according to a survey from West Monroe, 80 percent rated cyber security issues as highly important in due diligence. When evidence of cyber crime is uncovered during a merger or acquisition, it can often end up being a deal breaker or price cutter. Unfortunately for Yahoo, it became a poster child of sorts for exactly this issue. Months before the merger went through, Fortune (and others) reported that Verizon was exploring the possibility of killing the deal because of Yahoo’s data breaches. While the deal did go through this past June for $4.48 billion, the fallout was significant with a $350 million price cut. Adding salt to the wound: 16 years ago, the company was valued at $125 billion and in 2008 the company declined an acquisition offer from Microsoft valued at $44.6 billion.

Communicating these issues and the potential business impact is key to helping board members see both the value of security and the urgency. With that said, here are several elements to build into your plan to keep the board engaged:

Identify and examine with the board what the risk landscape looks like for your specific business. Determine which risks are acceptable and which ones must be addressed.
Create a board-approved documented set of internal policies, controls, and procedures
Conduct regular, real-time audits to ensure the effectiveness of your systems in place and that operations are going to plan.
Measure and report. Start with a baseline that captures the successes and failures of your current security system in place. From there, measure routinely to report progress or new areas of concern. Include catch rates, number of incidents, and other critical security indicators. Sharing this kind of information with the board on a regular basis is critical not only for their level of accountability, but also helps set business priorities and budget justifications.
Ensure a continued dialog with the board on a routine basis. And, keep the messaging nontechnical and focused on the business.

Remember, security is not a one-and-done situation. An effective security stance is constantly evolving. It’s what ensures the integrity and value of your company—and preserves your reputation.