Board of directors can no longer abdicate oversight of cybersecurity or delegate it to operating managers. Though they do not have day to day management responsibility, they have oversight and fiduciary responsibility. Many directors know this but still, seek answers on how to proceed and manage cybersecurity risk.
The authors of this Harvard Business Review article conducted a survey to better understand how boards deal with cybersecurity: Only 68% of the directors asked said cybersecurity was discussed regularly or constantly; 9% said it wasn’t something they discussed.
- Based on these results, they devised seven questions that help board directors guide discussions on managing cybersecurity risk.
- What are your most important assets, and how are we protecting them?
- What are the layers of protection we have put in place?
- How do we know if we’ve been breached? How do we detect a breach?
- What are our response plans in the event of an incident?
- What is the board’s role in the event of an incident?
- What are our business recovery plans in the event of a cyber incident?
- Is our cybersecurity investment enough?
Why does this matter for businesses?
Board members play a leadership role in managing cybersecurity risk, but many boards do not have cybersecurity expertise. And often, the language used to manage the business and manage cybersecurity are different. Focusing on common goals and asking the right questions can help narrow the gap between the boards of directors and cybersecurity professionals.