Boards and Info Security Chiefs Are Talking Past Each Other
January 29, 2024
In a Harvard Business Review article, Lucia Milică and Keri Pearlson argue that corporate boards are not having the right conversation about cybersecurity, which creates a security risk for companies that they oversee.
The authors surveyed 600 board members about their attitudes and activities concerning cybersecurity. Sixty-five percent believe their organizations are at risk of a major cyberattack within a year, yet half believe they are unprepared to deal with the problems an attack creates.
The article identifies issues and suggests some solutions. For example, board interactions with the CISO are rare. Less than half of board members interact with CISOs regularly, and they rarely get together on a personal level.
Fully one-third of board members only see the CISO at board meetings. No meaningful dialogue can develop when interaction is so sparse.
However, the board isn’t solely at fault. CISOs tend to speak in tech jargon and find it difficult to translate it into business terms like risk, reputation, and resilience.
The authors suggest that board composition might have to change to bring in cybersecurity expertise. The other option is board training.
Board conversations should focus on building resilience against cyber attacks. It is crucial to consider an attack as inevitable and aim for a quick recovery with minimum damage, low cost, and an intact reputation. Unfortunately, most board members view cybersecurity as a technical matter rather than a strategic imperative.
However, research conducted by the World Economic Forum suggests that human error is responsible for over 90 percent of cybersecurity incidents. Surprisingly, only 67 percent of board members identify human error as their major vulnerability.
Cybersecurity should be discussed at every board meeting with regular updates in between. The conversation should concentrate on the most significant risks and the best ways to recover from them. Although minimizing the possibility of an attack is important, it should not be the primary goal.
Critical intelligence for general counsel
Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.
Daily Updates
Sign up for our free daily newsletter for the latest news and business legal developments.