A security incident can have a long lasting effect on a company and we do now see security as a boardroom issue. This is increasingly due to the size and scale of cyber attacks which cause significant business disruption resulting in large scale losses of revenue, reputational integrity and long term profitability. As a result, more often than not, the CEO will be directly accountable for a major security breach and questions may be raised at the board level. Therefore, there is a responsibility for the board to ensure that appropriate executive ownership and resources including budget are made available to the business to manage security and risk effectively.
Perhaps a first step in increasing the board’s awareness of security and risk management is to fully understand the current risk exposure across all areas of the business. A high level risk assessment service, for example, would look for security vulnerabilities in multiple areas including compliance, incident response, technology, cloud security, operations, and third party risk. This would result in a report, road map and presentation being generated for the board to help understand the immediate security issues and priorities in the business at a high level so that resources can be effectively directed to begin managing security and lowering risk more efficiently.
It’s also important to recognise that the board aren’t security experts and will need reliable business oriented professionals to guide them through executive decisions on security. To better understand and control information security, organisations need a champion who sits outside IT. A Chief Information Security Officer (CISO) perhaps, with an independent role and a budget they control themselves. Alternatively, it might make sense to outsource the function and budget to a trusted third party expert provider of Managed Security Services that can plan and manage the security program strategy for the board as well as provide more hands on Managed Security Services for the effective day to day management of security in the organisation.
To find out more about responsibility in cybersecurity, please read our full In View on ‘Cybersecurity. Who’s actually responsible?’