Saturday, July 20, 2024

HomeCyberSecurityBoards need to brush up on cybersecurity governance, survey finds

Boards need to brush up on cybersecurity governance, survey finds

Board cybersecurity preparedness is taking on more importance thanks to the Securities and Exchange Commission’s introduction of cyber disclosure rules. The risk of cyber threats targeting businesses are increasing, but the potential penalties for cyber incidents are growing, too. 

But there’s a knowledge gap businesses need to address. 

A joint Corporate Governance Institute and Board Intelligence survey found nearly 60% of respondents don’t think they have received sufficient training on cyber resilience in the last 12 months.

In organizations with less cyber training, the board is less likely to challenge management on technology strategy and issues as robustly as on other topics, such as financial performance, the survey found. The Corporate Governance Institute surveyed 250 respondents for the report, including chairs, non-executive directors and executive directors of private companies, state funded organizations and charities.

It shows how a lack of board cybersecurity education can translate into the board members failing to ask the hard questions of management about cyber, according to Rob Clyde, an experienced board director who spent many years on the ISACA global board of directors.

Clyde likens it to board members being able to read financial statements and ask good financial questions, regardless of their level of financial background or whether they are a CFO.

“The same is true when it comes to cyber. Every board director needs to be just as proficient when it comes to cyber, and be able to ask questions and participate in the dialogue,” said Clyde.

“It can also make it difficult for the board to assess whether the company is doing a good job from a management perspective relative to cybersecurity,” he said.

“A lack of cyber awareness can also lead to insufficient disclosures being made, which can lead to investigations and lawsuits,” he said.

It means that if an incident does occur, organizations with stronger cyber awareness have a strong foundation that can show they have met a standard of due care. 

What about the CISO’s responsibility?

While the board’s cybersecurity know-how is under scrutiny, CISOs are finding themselves in the hot seat and potentially liable for a company’s security shortcomings. 

CISOs now face substantial personal risks, as seen in cases like Uber and SolarWinds where the SEC has taken legal action against the security chiefs. The primary risk is both personal and professional liability for the CISO, according to Kayne McGladrey, field CISO at Hyperproof.

The problem, however, is that boards unaware of the business risks from poor cybersecurity are unlikely to include the CISO in the Directors & Officers insurance policy. “This exposes CISOs to substantial risk,” McGladrey told Cybersecurity Dive. 

Boards looking to improve their response to cyber incidents need to be willing to invest in ongoing continuing education for board directors and set aside a certain amount of money for it, according to Clyde. They also need to decide if there is an expectation for directors to complete relevant training. 

While most boards say that at least once a year they do a deep dive in cybersecurity, some may determine that’s not enough, and in this case, should add it as an agenda item at every quarterly board meeting or more frequently as needed for consideration, Clyde.

“This can be discussed during board evaluations when they look at where gaps might be, and where specific board directors may need more or less training, based on their backgrounds,” he said.

“The chair in particular plays an important role here to work with board directors to make sure that there is a sufficient understanding relative to this.”

Source link

Bookmark (0)
- Advertisment -spot_img

Most Popular

Sponsored Business

- Advertisment -spot_img