“The day of the ball is not the time to learn how to dance,” says the Wall Street Journal’s Cybersecurity Research Director, Rob Sloan. At a recent AICD event, he shared the five questions boards need to ask to prepare for attacks and protect their organisation’s cybersecurity.
1. What does cybersecurity mean to your organisation?
To answer this question, Sloan says you should consider these three corners of the security triad:
Confidentiality – what are the consequences if your data is published or your intellectual property stolen?
Integrity – what happens if you can no longer depend on the data that is in your systems? You may end up no longer having trust in what your systems are telling you.
Availability – if you can't do business internally because your systems aren't working or if your customers can't reach you, it doesn't take long before there's a very serious impact on your business.
2. Who are the key people responsible for cybersecurity at your organisation?
Until quite recently, the vast majority of organisations would have said the key person responsible for cybersecurity was the chief information security officer, according to Sloan. But now many organisations are at the point where they need someone above that in the c-suite who is responsible for cyber and steering the organisation's strategy.
For around 10% of organisations in the US, the chief financial officer is now responsible for cybersecurity as it is an investment issue, Sloan says. There is no point spending millions of dollars to protect thousands of dollars’ worth of information.
3. How vulnerable is the organisation?
Every organisation has vulnerabilities, Sloan told the audience. The work for the board is to ascertain their extent. What measures are already in place to reduce the likelihood of incidents? What are your gaps? Have you had an external assessment? Have experts come in who can pick holes in your processes? Are policies in place around cybersecurity? Are they reviewed regularly?
Crucial to plugging gaps is making sure employees are adequately briefed. In a lot of organisations, a new employee might get ten minutes or an hour on cybersecurity, according to Sloan. They get told how to create a password and how not to use USB sticks and then cybersecurity is never mentioned again. There needs to be ongoing employee education, awareness and training.
Organisations also need to think about which third parties might hold their data. As a director, can you be sure those third parties protect that data to the standard you expect? Is the organisation conducting regular audits of third parties?
4. What's your organisation's risk tolerance and exposure?
The board needs to have a tricky conversation around its organisation's tolerance for risk. Sloan says that the answer for an organisation could be, "We’re aware of the risks, and we’re not going to invest in cybersecurity."
But to do that, the board better make sure it is completely informed about the risks the organisation faces.
Every organisation also must have in place systems to make sure risks are tracked, measured and reported up to the board.
5. And what's your long-term strategy for dealing with cybersecurity?
Lots of organisations think about technical solutions to particular security problems but not how to protect the business as a whole.
Organisations need to decide what information is business critical, according to Sloan. They need to accept that there will be attacks and there will be data losses. This present two issues that a board must decide: firstly what are the crown jewels in terms of data that absolutely must not be breached; and secondly when there is a breach, what are your strategies for recovery.
The AICD regularly runs courses and events for directors, aspiring directors and executives, covering governance and business best practice. Click here to see our upcoming courses in Western Australia.