As cyber attacks become more costly, disruptive and risky for businesses cybersecurity governance is quickly becoming a priority for boards. Some boards have added cybersecurity expertise as a new director’s title to their rosters. Others rely on contractors and third party service providers to bring cyber-risk expertise into the boardroom. Some boards are using the controversial practice of hiring hackers on red teams to test their systems and find out which areas they are at risk.
For many boards there’s an inconsistency between their stated goals and the actions they take to fulfill the priorities. Our research has found that only 69 percent of board members say they are regularly in contact with their CISOs, and a significant percentage of them only communicate with their CISOs during board meetings. These gaps must be plugged to ensure that the boardroom has adequate visibility and discussion about cybersecurity risk.
To close the gap, it’s critical to make cybersecurity a core element of every board meeting and to involve directors in meaningful discussions about the dangers they have to take on. This will require a change in the way conversations take place in the boardroom, such as having a dedicated cybersecurity agenda item and introducing pre-read materials that can be used to have more in-depth discussions about cybersecurity issues during meetings. It is also crucial to make cybersecurity a priority for the board and create a security-minded business culture through a tone of voice from the top and rewards for those who speak up about risk.