The importance of cybersecurity conversations in the boardroom
Why security early on is vital for innovation
With all the data breaches in the news today, I think it’s safe to say that cybersecurity is a topic of concern for companies of all sizes. The importance of cybersecurity has risen over the years as more data has moved to the cloud and as governments (both state and federal/national) have created laws and regulations around best practices. The impact of a breach or violating a law can amount to millions of dollars in lost revenue and a loss of goodwill, and consequently, over the past several years, boards have started to become more involved.
Given the number of breaches and cyber attacks happening today, it’s essential that boardrooms have conversations around security. Because of the tumultuous nature of the cloud and the growing caliber of bad actors, it’s become more important for businesses to consider securing their cloud environments before business activities begin. As a result, this increased focus on security has placed the responsibility not solely on the CISOs, but also on the executives of the company. While the CISO can present risks and develop plans to mitigate the risks, they do not control the money. The executives and the board have to weigh the risks of action versus inaction and act accordingly. Thus board-level conversations around security are essential to promote open communication about the cybersecurity risks to the company.
When I attended my first board meeting years ago as a CISO, I realized that I was not as prepared as I should have been. I sat down in my chair in front of the audit committee of the board and prepared to go through my status. Before I could even get started, the chair of the committee pulled out a red pen, and started to make notes all over his paper copy. He wanted to dig into the numbers and raw metrics of what I was presenting, not as much the individual status of the various projects. After the meeting I did some research on the chairman and realized he had spent his entire career in banking. Numbers are what he knew, and it was the language he spoke. That was a great lesson in ensuring your security message is tailored to your board members.
While security has always been an important business issue, the conversations have changed over the years in the boardroom around cybersecurity. When security first started to become a focus, the CISO (or security lead) was typically buried under an executive like the CTO or CFO. The CISO would provide a summary that would be presented to the board along with the other technology updates. In the last few years, the CISO role has gained prominence due to the complex nature of the subject and the increased risk. This has shifted the conversation to an executive level where security risks are heard and balanced against other risks to the business.
This rise in the CISO prominence has also forced many boards to become more informed on cybersecurity practices and compliance in general. In the past, many board members came from non-technical backgrounds that focused mostly on numbers and business growth. When cybersecurity risks were brought up, they were not totally understood, so it was difficult to make informed decisions. Today many boards have several members with technical backgrounds. That enables conversations to take place at an executive level where security risks to the business can be truly understood and weighed against other risks and priorities.
The threats posed by cybersecurity attacks will not stop, and the conversations will adapt to understand them.
Given the complex and ever changing nature of the attacks, boards will use their security expertise to continue to educate themselves. Also, privacy risks will begin to take more focus at the board level. As more states and countries create privacy laws, following the lead of the General Data Protection Regulation (GDPR) in the EU and California’s CCPA/CPRA and related state level laws in the US, a specific focus will be put on ensuring compliance with the many privacy laws and regulations. That conversation happens today with some companies who have the resources to dedicate to privacy initiatives, but it will grow into more of a focus in the years to come.