With cyber threat levels on the rise and their complexities growing, it is time to bring cybersecurity into the boardroom, says Puneet Kukreja
According to the EY Ireland Global Information Security Survey 2021, 90 percent of Irish cybersecurity leaders reported an increase in disruptive cyberattacks over the previous 12 months. This issue goes beyond the chief technological officer’s remit and should be a company-wide concern, including the organistion’s board.
The board plays an important role in overseeing and supporting how an organisation enhances its cybersecurity controls and practices in a world where threat levels are on the rise.
Below are seven critical areas that boards need to focus on to better align themselves with the organisation’s cyber strategy and ensure that the organisation’s cybersecurity needle is moving in the right direction.
1. Understand the business
Boards and their sub-committees are now required to undertake key oversight activities related to cyber risks across critical business processes and systems. For this, they should be aware of the budget allocated to cybersecurity programmes and understand whether the organisation’s cybersecurity function is adequately funded and resourced.
The board should also be aware of the key responsibilities for security and data privacy across the enterprise. They need to be aware of the potential exposure of known blind spots.
2. Acquire knowledge of technology
It is important for the board to gauge if it has the required knowledge and expertise in technology. It is imperative for the board to understand how the rapidly evolving ecosystems of cloud, cyber and data protection, internet of things and privacy overlap with its role in corporate governance and risk management.
3. Understand the cyber environment
The board needs to have a clear knowledge of how a cyber threat can be responded to in a rapid manner.
It is critical for the board to have a view of the full range of cyber risks facing the organisation and the potential to improve its existing cybersecurity control and practices. It needs to ask if management can implement the required risk management protocols to reduce the mean time to exposure and if the organisation has an effective incident response and recovery function in place.
It is also important for boards to know if the systems targeted in a cyber event are managed internally, externally or sourced from the cloud.
4. Facilitate response readiness
Boards must help document a cyber threat management framework. This framework should be regularly tested against the ‘cyber kill chain’ approach, a phase-based model used to describe the stages of a cyberattack which helps construct response plans for organisations.
5. Have exposure to cyber wargames
Has the board and its sub-committees been exposed to a cyber incident response training exercise, or received training on how will the organisation respond if an attack occurs? One key action that boards can take is to bring cybersecurity-related skills and experience into the boardroom through the appointment of non-executive directors with previous experience in technology-related roles.
6. Keep third-party agreements ready
Boards need to ensure that cyber incident response agreements are in place with third-party suppliers of technology and subject matter experts who can be mobilised in the event of a cyberattack.
Boards also need to understand how the cyber risk exposures of all stakeholders are assessed and determined.
7. Be adept at media management
If systems are compromised and sensitive data stolen, it could potentially impact an organisation’s reputation. The board should understand how the organisation will respond to the media and stakeholders following a cyberattack or breach.
Take a holistic approach
With remote and hybrid work being the new normal, continuous assessments and improvement of cybersecurity controls and practices across the organisation should be the focus of the board. For this, boards can mandate organisation-wide continuous training and education around cyber threats. It may also be useful to accompany this with a cyber awareness programme.
An eye on internal control framework and cybersecurity monitoring procedures is needed, as well.
The role of the board is assuming greater importance as cybersecurity risks and threats grow. Boards must now play a more constructive role in advising on post-incident response plans and in managing them from a business continuity perspective.
Cybersecurity activity should not be seen as purely defensive. A company’s ability to adjust and strengthen its cyber resilience will position it for a more secure future.
Puneet Kukreja is Cyber Leader in EY Ireland