If security wasn't already a board-level topic of discussion, destructive attacks like NotPetya and WannaCry and the threat of ransomware have undoubtedly made it one. Cybersecurity has crept its way into earnings calls. Listening to CEOs and CFOs explain to investors how malware like NotPetya cost organizations millions in quarterly revenue is becoming as common as hearing about earnings per share.
While this is great news for CISOs and security executives who have long been waiting for businesses to see cybersecurity as priority, this development doesn’t necessarily mean that boards totally understand security. Remember, their background is in business, not computer science. While board members may be masters of go-to-market strategies and providing sage business advice, they’re likely not well versed in how to detect adversaries and secure endpoints.
So while board directors are keenly aware that cybersecurity matters, how can they help keep their organizations safe from the myriad of threats that are out there?
Cybereason CSO Sam Curry provides answers in a Harvard Business Review article that looks at how boards can take responsibility for cybersecurity. One key takeaway is that board members don’t need deep expertise in cybersecurity. Instead, they should focus on cybersecurity from a governance perspective. This means taking steps like ensuring that the organization has a detailed incident response plan in place (Curry notes that even the best-defended companies will inevitably get breached) and focusing on the company’s culture as much as technology (security means creating a corporate culture where protecting sensitive information is everyone’s duty, he writes).
Head to Harvard Business Review’s site to read the full article.
