Vice Chairman, Managing Director,
Board & Chief Executive Officer Services
This Week in Leadership (Sept 20 - Sept 26)
Why job switchers aren't getting that much more money. Plus, leadership lessons from Angela Merkel and her very long tenure.
Cybersecurity has spread beyond its tech niche and into the boardroom. Given their growing magnitude and frequency, cybersecurity breaches, which have the potential to shake major corporations to their core, are an issue of enterprise-wide importance. And there isn’t a board anywhere that isn’t rattled by this challenge, especially considering the potential for lost or stolen intellectual property, damage or destruction of critical data or infrastructure, disruptions to critical operations, and loss of confidence among customers, investors and employees.
Don’t plan for prevention, which is most likely not possible. Rather, prepare to mitigate the most serious damage to the enterprise, and think “when” not “if,” because it’s just a matter of time until your organization is hit.
Being prepared for a cyberattack is half the battle. Start by ensuring that someone on the board—or someone the board has direct access to—is cybersecurity savvy. Here is a checklist of what your board should do before a breach occurs:
In addition to the internal steps that boards must take to protect the enterprise, they must maintain awareness of government actions that will affect their companies, given the growing magnitude and far-reaching consequences of cybersecurity issues.
In response to the rise in high-profile data breaches and cyberattacks, a bill was recently introduced in the U.S. Senate, the Cybersecurity Disclosure Act of 2015 (S. 2410), which now sits before the Senate Banking Committee. While cybersecurity is likely already top of mind, this legislation reinforces the idea that information security and data protection is increasingly a corporate governance issue.
If this bill were to become law, it would require public companies to disclose whether any board member has experience or expertise in cybersecurity, and to describe the nature of that background. In the event that no board member has cybersecurity experience, the company would be required to explain in its disclosures why an expert is unnecessary, as well as what additional measures the company is taking to improve cybersecurity. Boards will increasingly be required to include cybersecurity experts, just as they currently are required to have financial experts. The challenge will be meeting the demand for this expertise.
While the proposed bill may never be enacted, it is a clear signal that the days of treating cybersecurity as an IT or compliance issue are gone. And if boards are not already aware of cybersecurity as a fundamental enterprise-wide duty of the board, for which the board must have a plan, they now certainly should be. The proposed bill underscores the need for boards and senior management to approach cybersecurity as a business-risk issue and to provide the attention and resources required to protect the company’s sensitive data in our ever-changing and complex, technology-dependent world.
Clearly, there is no such thing as airtight cybersecurity protection—as witnessed by recent data breaches at even the IRS and the CIA—but there is much that boards can do to protect their companies by implementing a plan designed to prevent breaches, and certainly to limit the damage when they do occur.
These are issues we work to stay ahead of every day, given new and emerging threats as well as an evolving regulatory environment. Korn Ferry’s Cybersecurity Practice, focused on our clients’ unique information security talent and organizational needs, integrates our expertise in board effectiveness and composition, enabling us to understand the governance and pertinent issues facing directors and senior management as they prepare to defend against and recover from cyberthreats.