Bridging the Gap Between IT and the Board
Brian Stafford, CEO, Diligent Corporation
It seems that every week there is a new security incident that reminds us of the real and ever-changing threat facing corporate enterprises and data. Brand-new security vulnerabilities are identified every day. All of this begs the question: How many companies are really prepared in the event of a cyberattack, and what is the role of the Board of Directors in preventing such a breach?
A recent study from the Ponemon Institute found that 70 percent of board members feel confident that they understand the security risks faced by their organizations. That kind of confidence is normally tremendously encouraging, but the study also revealed that only 43 percent of IT security professionals agree. This is a noticeable gap that could spell out a gloomy level of preparedness should a security incident occur.
Cyber risk issues are highly technical, and without the proper training (which many board members do not have), these issues can be abstruse and difficult to understand. On the other hand, it can be difficult for those with a thorough technical understanding to translate security risks into meaningful insights for a board. And it takes a skilled executive to understand how a cyber vulnerability can impact all aspects of a company’s performance. While IT plays an important role in the identification and assessment of threats, it is truly up to an individual board to open the right lines of communication within a company, prioritize risk management and create a culture around security. All of this will work to open the channels of communication necessary to create a meaningful balance between identifying security risks and achieving the goals of a business. Here are some tips that can help keep the dialogue open across an organization:
Connecting the Dots
As a company, it’s worthwhile to consider whether there should be a board member who “speaks cyber,” a person who can help bridge the knowledge gap and act as a translator of sorts between IT and the rest of a board. As the technology landscape continues to evolve, hiring or training an expert who can merge the technical details with the larger corporate governance imperative can help a board identify the potential costs of different risks and plan to eliminate said risks proactively. A subcommittee dedicated to the analysis and assessment of cyber risks may also make sense, allowing for more time and attention to effectively tackle risks while minimizing any effects on the rest of a company.
Ongoing initiatives that improve exchanges between a board and IT can help close the knowledge gap. Arranging a monthly or quarterly education campaign that keeps board members abreast of new cyber topics can be effective, particularly if an organization doesn’t have the space or resources to appoint a cyber expert to their board. This will provide a healthy understanding of the current landscape, with the added benefit of creating a culture that is willing to ask tough questions about cyber risks.
Creating a Culture of Compliance
Policies that make it easy for employees to do the right thing can help a board feel more comfortable about compliance in the era of greater cyber risk. An organization can start first by implementing certified compliant systems to monitor risks on a daily basis and then actually enforce supporting guidelines. It may also be helpful to integrate secure data-sharing tools to make relaying sensitive information as simple as possible. With these measures in place, an organization has effectively created a benchmark of understanding between management and IT – thereby bolstering a security-conscious culture within an organization and accomplishing the ever-critical task of opening a dialogue about cyber risks.
The Evolving Security Landscape
There is speculation that the U.S. Securities and Exchange Commission (SEC) will soon require the disclosure of security incidents, making it even more important that an organization embrace a culture of compliance to protect internal data from prying eyes. New connected technologies are being introduced into the workplace daily – and as this web of devices continues to expand, so too do the security gaps between each device. It’s important to remember that a board has a responsibility to check all of the “best practices” boxes when making a decision around governance and security; this is a high bar to set, especially when the cost of such actions can impact the bottom line of an entire business. Companies must begin to develop an open and trusting relationship between their boards and IT to ensure that they will meet and surmount the evolving threat landscape.
[Image courtesy of Stuart Miles at FreeDigitalPhotos.net]
About the Author
Brian Stafford is Chief Executive Officer of Diligent Corporation. Mr. Stafford assumed the role of CEO in March 2015 and is responsible for all day-to-day operations, with a focus on accelerating global growth and incorporating scale into the business in order to manage the growth seamlessly. Mr. Stafford previously served as a Partner at McKinsey & Company. He holds a Master’s Degree in Computer Science from the University of Chicago and a BS in Economics from the Wharton School at the University of Pennsylvania.