{"id":2620,"date":"2019-05-23T22:52:03","date_gmt":"2019-05-23T22:52:03","guid":{"rendered":"http:\/\/www.blackopspartners.com\/?p=2620"},"modified":"2019-05-23T22:52:03","modified_gmt":"2019-05-23T22:52:03","slug":"in-light-of-ever-increasing-cybersecurity-risks-boards-must-deepen-their-oversight-and-engagement","status":"publish","type":"post","link":"https:\/\/blackopspartners.com\/in-light-of-ever-increasing-cybersecurity-risks-boards-must-deepen-their-oversight-and-engagement\/","title":{"rendered":"In Light of Ever-Increasing Cybersecurity Risks, Boards Must Deepen Their Oversight and Engagement"},"content":{"rendered":"\n

Just how much are companies struggling to get a handle on cybersecurity risks and digital disruption? According to the National Association of Corporate Directors (NACD)\u2019s \u201c2019 Governance Outlook<\/a>,\u201d boards are uneasy about the various digital risks their organizations face. The report is designed to provide leadership with a picture of the business landscape, and as you might expect, regulations, cybersecurity risks and disruptive technology feature prominently in the list of concerns.<\/p>\n\n\n\n

More precisely, when asked to name the top five trends likely to have the greatest impact in the coming year, NACD respondents pointed to changes in the regulatory climate first (49 percent), followed by the potential for an economic slowdown (48 percent) and cybersecurity threats in third (42 percent). NACD commented on these findings, noting that \u201ccompanies are bracing for the effects of proliferating cybersecurity and data-privacy rules as regulators play catch-up in overseeing the digital economy.\u201d<\/p>\n\n\n\n

In light of a regulatory landscape<\/a> that is becoming more complex and costly \u2014 especially post-incident \u2014 boards need better insight into the organization\u2019s cyber risk exposure and its ability to handle and recover from those risks. Here are a few questions board members can ask themselves to gauge their oversight and engagement.<\/p>\n\n\n\n

Do We Fully Grasp Cybersecurity Risks?<\/h2>\n\n\n\n

Boards understand that digital disruption is a reality of business today. Sixty-two percent of board directors view \u201catypical, disruptive risks\u201d as more important to organizations today than five years ago, according to NACD. While boards are confident in management\u2019s ability to deal with known risks, directors are less certain of their preparedness for disruptive risks \u2014 only 19 percent of respondents were extremely or very confident.<\/p>\n\n\n\n

Organizations know that their competitors are actively looking to leverage artificial intelligence (AI), big data, blockchain and the internet of things (IoT)<\/a>, but the ability to foresee how those changes would impact their own cybersecurity risk posture is limited. AI and the IoT in particular were viewed by NACD survey respondents as the two technologies most likely to disrupt their companies \u2014 but they were also ranked as the first and third most likely to benefit them, respectively.<\/p>\n\n\n\n

Beyond the challenges of data security and modern digitization, the impacts of rapid changes in the regulatory landscape means that companies must continuously scan the horizon to determine whether they\u2019re still in good standing. In the U.S., the NACD noted the rollout of multiple state-level regulations in California<\/a>, Vermont, New York and South Carolina, as well as the recent creation of the Cybersecurity and Infrastructure Agency (CISA) within the U.S. Department of Homeland Security (DHS).<\/p>\n\n\n\n

For boards, this is a reminder to ensure that management has properly integrated disruption-related information in their strategy, performance and decision-making processes. Boards should also ensure they are getting quality information \u2014 in the form of risk metrics and trend lines \u2014 from management regarding the potential impacts of disruptive risks. Procedures for escalating critical and time-sensitive information to the board should be reviewed. For chief information security officers (CISOs), this is an opportunity to re-engage with the board, the C-suite and the organization overall to ensure that digital risks are appropriately considered and accounted for at all levels of decision-making.<\/p>\n\n\n\n

How Effective Is Our Cybersecurity Management?<\/h2>\n\n\n\n

The NACD report specifically called out the need for boards to appropriately review the effectiveness of their organizations\u2019 cybersecurity management programs. By now, enough organizations have found themselves jolted, fined or sued, or even had their operations temporarily shut down as a result of a cybersecurity incident, to understand that simply taking the CISO at their word isn\u2019t a valid option.<\/p>\n\n\n\n

Directors are encouraged to challenge management about the outcomes of the security program as a whole, and whether the organization has invested appropriate levels of time, talent and money into its security projects. The often thorny issues of accountability and ownership are also important because digital risks can propagate across silos and locations. The board must assign clearly articulated ownership and accountability of various cybersecurity risks.<\/p>\n\n\n\n

This renewed attention from the board is an opportunity for CISOs to review the quality of the information they share with the board, to ensure they\u2019re operating as cybersecurity advisers and strategists to the entire organization. But with a greater level of trust comes greater demands: When management and the board are asking more skeptical questions about the benefits of the security projects on the road map, CISOs need to be ready to demonstrate the value of those investments.<\/p>\n\n\n\n

Do We Have Adequate Oversight?<\/h2>\n\n\n\n

Finally, the report contains several reminders of the need for boards to ensure that they are taking on the appropriate duties when it comes to cybersecurity risks. Directors need to ensure they are seeking and receiving adequate education on the topic. Board directors should also seek independent assurances about the cybersecurity program, which for many means leaning on the internal audit function to perform a cybersecurity assurance examination. Of course, board directors can also choose \u2014 and they are often encouraged \u2014 to consult external advisers.<\/p>\n\n\n\n

For CISOs, the additional scrutiny could easily be taken as unwanted or even negative attention. Instead, they should think of it as an opportunity to get support from and engagement with the very top levels of the organization. This channel offers CISOs the opportunity to provide more education about the digital threat landscape \u2014 being careful to leverage business metaphors instead of getting deep in the technical weeds. This is also an opportunity for CISOs to get involved with, or even lead, a group to develop ideas and insights about trends and opportunities, especially regarding digital transformation.<\/p>\n\n\n\n

At a time when there is tremendous pressure to safeguard ever-expanding caches of sensitive data<\/a> \u2014 dispersed across the organization and often across countries \u2014 and when it is critical to improve one\u2019s resilience<\/a> in the face of increasing digital dependence and interdependence, board directors must deepen their oversight of cybersecurity risks. CISOs, on the other hand, should help shed light on board-level concerns and prepare for the likely questions that boards will ask them during their next interactions.<\/p>\n\n\n\n

Read more at <\/em>Security intelligence<\/em><\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Just how much are companies struggling to get a handle on cybersecurity risks and digital disruption? According to the National Association of Corporate Directors (NACD)\u2019s \u201c2019 Governance Outlook,\u201d boards are uneasy about the various digital risks their organizations face. The report is designed to provide leadership with a picture of the business landscape, and as […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[10],"tags":[],"acf":[],"_links":{"self":[{"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/posts\/2620"}],"collection":[{"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/comments?post=2620"}],"version-history":[{"count":0,"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/posts\/2620\/revisions"}],"wp:attachment":[{"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/media?parent=2620"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/categories?post=2620"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blackopspartners.com\/wp-json\/wp\/v2\/tags?post=2620"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}