Cybersecurity Issues Are Changing Board Governance Duties

According to an article in CIO, directors today know the importance of cyber governance but don’t always understand the risks of cybersecurity and their own board governance duties.

Julie Ragland, CIO and board member at Navistar, emphasizes that many boards mistakenly treat cybersecurity as purely a technical issue, focusing heavily on tools and protections. However, she points out that “more than 90% of cybersecurity incidents start with human behavior error,” making cyber incidents as much a communication and legal challenge as a technical one.

Ragland says that cybersecurity governance can be broken down into investment prioritization and incident response behaviors. She notes that the cyber investment can be huge. “The board needs enough understanding of cybersecurity to help prioritize these big investments,” she says.

Board members are well aware of their role in cyber as well as their board governance duties, and member selection criteria are changing. Ragland cautions against limiting the technology expertise they seek in directors to security. She says that knowledge of the strategic opportunity technology brings to organizations is just as important.

Appointing new members doesn’t let legacy directors off the technological hook. According to Ragland, all members need an understanding of the kinds of data they’re governing and the risk factors if that data is lost, destroyed, or exposed.

Ragland says cybersecurity executives are responsible for educating their boards, and less formal and more conversational settings than regular directors’ meetings are good ways to do so. She advises stepping away from technical presentations and concentrating on business risks and how IT contributes to protecting the organization.