An organization's cybersecurity strategy is not just the concern of the IT team – board members also need to ensure an oversight of cyber-risk management, says Trenergy's co-founder and managing director Peter Purcell.
Writing for the CIO website, Purcell warns that board members who see their company suffer a breach, as a result of failing to develop a cybersecurity awareness, face not only financial repercussions but lawsuits.
Purcell points to the U.S. as an example, highlighting how the Department of Justice has recently provided guidelines on the role of the board of directors in overseeing cyber-risk management. It suggests the CIO now has a responsibility to communicate the cybersecurity strategy to board members and to detail critical risks to help avoid personal liability.
Purcell acknowledges that while the Board don't need a granular-level understanding of its firm's cybersecurity strategy, as a minimum, it should understand how failures can impact the business.
He identifies three specific areas the Board should have a knowledge of, in case of a breach. The first is how business processes would be affected by a breach. That means the CIO reviewing the results of regularly scheduled security assessments with the Board, so they are aware of potential threats and how the IT team is safeguarding against those risks.
Secondly, the Board needs to know how decisions will be made during an incident. That requires the CIO to assess the current internal compliance polices against industry standard compliance policies, then sharing these findings with the Board.
Finally, the CIO should make the Board aware of vendor compliance policies and know how vendors are securing company data. If this is gleaned only once a breach occurs, it'll be deemed too late – especially if lack of compliance is to blame for the misdemeanor.