Cybersecurity has spread beyond its tech niche and into the boardroom. Given their growing magnitude and frequency, cybersecurity breaches, which have the potential to shake major corporations to their core, are an issue of enterprise-wide importance. And there isn’t a board anywhere that isn’t rattled by this challenge, especially considering the potential for lost or stolen intellectual property, damage or destruction of critical data or infrastructure, disruptions to critical operations, and loss of confidence among customers, investors and employees.
Don’t plan for prevention, which is most likely not possible. Rather, prepare to mitigate the most serious damage to the enterprise, and think “when” not “if,” because it’s just a matter of time until your organization is hit.
Being prepared for a cyberattack is half the battle. Start by ensuring that someone on the board—or someone the board has direct access to—is cybersecurity savvy. Here is a checklist of what your board should do before a breach occurs:
- Conduct a thorough assessment of the organization’s current information security capabilities, aligned with internal vulnerabilities and external threats.
- Review security and privacy budgets, company security policies, and roles and responsibilities of all relevant leadership.
- Ensure that there is a strategic vision and road map that proactively protects assets, and keep pace with escalating threats and evolving regulatory requirements.
- Develop a comprehensive incident-response plan, with full visibility and sponsorship from senior management, that is rehearsed and stress tested.
- Confirm that the organization has the credible leadership and talent to develop, communicate, and implement an enterprise-wide plan to manage cyber-risk.
- Implement a strong communication and education program to raise awareness and create an environment in which all employees embrace responsibility for cybersecurity.
In addition to the internal steps that boards must take to protect the enterprise, they must maintain awareness of government actions that will affect their companies, given the growing magnitude and far-reaching consequences of cybersecurity issues.
In response to the rise in high-profile data breaches and cyberattacks, a bill was recently introduced in the U.S. Senate, the Cybersecurity Disclosure Act of 2015 (S. 2410), which now sits before the Senate Banking Committee. While cybersecurity is likely already top of mind, this legislation reinforces the idea that information security and data protection is increasingly a corporate governance issue.
If this bill were to become law, it would require public companies to disclose whether any board member has experience or expertise in cybersecurity, and to describe the nature of that background. In the event that no board member has cybersecurity experience, the company would be required to explain in its disclosures why an expert is unnecessary, as well as what additional measures the company is taking to improve cybersecurity. Boards will increasingly be required to include cybersecurity experts, just as they currently are required to have financial experts. The challenge will be meeting the demand for this expertise.
While the proposed bill may never be enacted, it is a clear signal that the days of treating cybersecurity as an IT or compliance issue are gone. And if boards are not already aware of cybersecurity as a fundamental enterprise-wide duty of the board, for which the board must have a plan, they now certainly should be. The proposed bill underscores the need for boards and senior management to approach cybersecurity as a business-risk issue and to provide the attention and resources required to protect the company’s sensitive data in our ever-changing and complex, technology-dependent world.
Clearly, there is no such thing as airtight cybersecurity protection—as witnessed by recent data breaches at even the IRS and the CIA—but there is much that boards can do to protect their companies by implementing a plan designed to prevent breaches, and certainly to limit the damage when they do occur.
These are issues we work to stay ahead of every day, given new and emerging threats as well as an evolving regulatory environment. Korn Ferry’s Cybersecurity Practice, focused on our clients’ unique information security talent and organizational needs, integrates our expertise in board effectiveness and composition, enabling us to understand the governance and pertinent issues facing directors and senior management as they prepare to defend against and recover from cyberthreats.