In the past, the issue of cybersecurity has fallen onto the shoulders of IT – but just as cybersecurity has changed and advanced rapidly in the last few decades, so have the stakeholders responsible for handling it; cybersecurity is now the responsibility of the entire boardroom.
After all, approximately 1 billion accounts were compromised in 2016, according to Forrester’s report. That’s roughly three accounts per American citizen. And the global average cost of a data breach is $3.62 million, according to the 2017 Ponemon Cost of Data Breach study. Numbers like that and on that large of a scale cannot be left to the IT department, who are focused on the day-to-day technology aspects of cybersecurity. For these numbers, you need to call in the big guns – the entire boardroom.
In other words, it’s enterprise-wide – and as a result, the responsibility has moved up the food chain.
Regulators have taken note too. Several states have begun proposing and enacting laws that require companies to take steps to ensure the security of information. A New York regulation, for example, was enacted in March 2017 and now requires any financial institution to implement and maintain a cybersecurity policy that is “approved by a senior officer or the covered entity’s board of directors (or an appropriate committee thereof) or equivalent governing body.” It also mandates that institutions appoint someone, such as a chief information security officer (CISO), to be responsible for overseeing and implementing the approved cybersecurity policy. In addition, that individual must provide a written report to the board of directors covering the cybersecurity program and what risks the company has encountered at least once a year. This has been a game-changer for cybersecurity regulations.
“It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs,” the legislation emphasizes. “The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark.”
These types of cybersecurity laws are going federal too – the Cybersecurity Disclosure Act of 2017, which has been proposed before the Senate, would, if passed, require publicly traded companies to include a disclosure on whether any member of the board has cybersecurity expertise within their annual filings.
So what’s the problem? Why can’t boards just “handle it”? While lawmakers and, to some extent, companies are starting to take cybersecurity more seriously, there are still a number of barriers that make it harder for boards to implement cyber policies and security structures, including:
- Budget and cost. At the end of the day, cost matters. From new technology, subscriptions, consulting, and the OPEX cost of all the time, people, communications and resources needed, it adds up quickly.
- The black box effect. Few people actually know what the black boxes on the network do – and without understanding, it’s hard to ask for (and receive) the support you need.
- Disagreement over ownership. While cybersecurity has been on the rise for the last few decades, figuring out who “owns” cyber is something leaders continue to grapple with.
- Compliance over protection. It would be easy for a company to simply pursue a “compliance” state of cyber instead of an approach that actually protects against real hackers and adversaries. It’s up to leadership to make sure their company is not only compliant but also effective. One does not necessarily equal the other.
At the end of the day, it’s up to leadership to ensure their company’s data is secure. They can’t abdicate cyber to IT any longer. As an executive search expert who has seen the focus on cybersecurity on the rise for decades, I’m here to help companies hire leaders who know what’s going on with cyber and understand the importance of investing in it. I’d love to chat.