Data breaches. First, they were the concerns of CISOs and CIOs. Some even lost their jobs after overmediatized breaches. Then CEOs got the spotlight, especially as brand reputations were damaged and customers left angry and churning. Today, board members are increasingly more involved in discussions around companies’ cybersecurity and measures needed to prevent being thrown into the next big headline.
We've come a long way from the days where board members would ask: Are we secure? They are now requesting scorecards that measure company security posture. They are also asking more questions related to regulations and how security controls can help demonstrate compliance. Soon, we will see boards demanding quarterly cybersecurity briefings -- some directly presented by the CISO -- rather than relying on the occasional update from the company security committee.
Because cybersecurity has experienced a "personality transformation" in recent years, the nature of boards’ attention to cybersecurity is also evolving. Before, it was all about the hardware of the enterprise -- its networks, firewalls and physical location itself. Fast-forward to 2017, and cybersecurity is now wholly centered on the less tangible and harder-to-control pieces: identities. Hackers today prefer people (through social engineering, phishing and other sneaky ways of getting a human to make a mistake) as their attack target du jour, and views on security and the attention of board members have shifted to identity.
This is an important shift, and, interestingly enough, board members will most likely play three very different roles when dealing with identity.
Boards As Targets
As we saw with the now-infamous breach of Colin Powell's email, which exposed a Salesforce M&A target list, board members are and will continue to be hackers’ targets. Board members communicate regularly via email with the companies they advise. Many times, they use their personal email accounts to communicate, which are typically less secure than corporate accounts. Most of the time their communication deals with very sensitive data: M&As, new market entry, personnel reshuffling and reorganization, and the usual financial data. That information, which is usually protected by a company’s full security infrastructure, is just sent over email via a file attachment to a group of directors, easily identifiable and therefore increasingly targeted.
A survey presented by Diligent Corporation's Dottie Schindlinger at the NYSE Governance Services Cyber Risk Board Forum in February reported that 60% of board directors use personal email regularly to communicate with fellow directors and executive management; 48% use their personal PCs or other devices to download board books and company documents; and 22% of them store these documents long-term on their devices.
The survey also reports that despite the mounting risk surrounding board communications, the main driver in deciding how communications between a board and its company are conducted remains with the board chairmen and not the IT department -- making board members that much more susceptible to a data breach.
Boards As Decision Makers
With so many high-profile breaches, such as those that took place at Yahoo! and LinkedIn, and their potential domino effect across organizations along with the regular cadence of breaking news around new regulations in cybersecurity, boards are quickly recognizing that there is a real need for risk transfer. They are now looking at the growing cyber insurance industry as a way to mitigate the financial risk that goes along with a data breach.
According to Chad Hemenway, who spoke at Advisen’s 2015 Cyber Risk Insights Conference, as many as 80% of managed care organizations have contracted cyber insurance; 50% of retailers and 50% of tech companies have done the same. But surprisingly, in 33% of the cases, boards were in a position to recommend buying cyber insurance, and in 25% of the cases, they made the decision about the purchase. The executive management team accounted for 63% of the recommendation and 50% of the decision making, while CSOs accounted for 30% of the recommendation and only 5% of the decision making.
This data shows a new, decisive role from boards in regard to cybersecurity. Although boards may not be active in deciding which type of security infrastructure a company should implement, some are focusing on managing the risk associated with data breaches, especially the ones related to compromised identities.
Boards As Agents Of Change
Most executives are very concerned about cybersecurity due to the unknown threat of what could happen and how it could impact their business. But a smaller number of them, 44% based on a 2016 Cisco Survey, see cybersecurity as a competitive advantage, and 30% believe its purpose is mainly growth enablement. The Cisco survey goes on to describe how many executives are stuck on the fear and uncertainty of cyber risks and, as a result, are potentially missing the huge opportunities that a strong and innovative cybersecurity strategy can bring to the digital transformation of their businesses.
Bill Bock, a member of our board of directors who has served on several public boards and is currently on the board of Silicon Labs, puts it this way: “Board members should advise their executive teams about the important role cybersecurity plays today. It is not just about cybersecurity as a defense tactic, but it has truly become a way for companies to increase the velocity of their business. With that perspective in mind, companies can and should consider a strong cybersecurity strategy as a competitive advantage.”
This might just be where boards could have a huge impact -- by helping and guiding executives to see these opportunities and seize them before it's too late. It means adjusting to a new normal of threats and risk in an era of digitalization of data and processes. It means thinking forward on how to compete and thrive in that environment.
