Five cybersecurity questions that boards should consider

With today’s increased digitalization and work-from-home models, organizations have seen a rise in security breaches. And while the onus was previously on network security teams to prevent cyberattacks, now the board of directors is being viewed, and held accountable, as custodians of organizational data.

Boards face the need to not only include cybersecurity on their agendas, but also periodically execute cybersecurity strategies, in coordination with corporate leadership. At many organizations, this begs the question: What steps can (and should) the board take to protect the company, as well as minimize damage in the event of a breach?

Deloitte’s recent report, “The Changing Role of the Board on Cybersecurity,” addresses these questions and underscores the importance of a top-down approach in creating more secure and resilient organizations. As potential attack surfaces increase in more distributed and homebound environments, here are five questions that companies and their boards can consider in order to foster a strong cybersecurity posture.

1. Is there a holistic approach to tackling cyber-related matters? Analyses of cyberattacks reveal that it’s not only technology breaches that lead to security incidents, but also the exploitation of well-meaning employees, who lack adequate preparedness. In addition to robust technology and monitoring, a holistic approach to cybersecurity requires active participation from a number of parties. This includes making cybersecurity the responsibility of each individual in the organization, and empowering them with basic threat awareness and response techniques.
2. What are the “crown jewels” that we must protect? Does management review them and make changes? As organizations operate in a digital world, and as threats from adversaries increase in sophistication, there will always be gaps in cybersecurity controls. It’s important for companies to identify certain key assets or “crown jewels” and categorize them based on their value. These categorizations will influence an organization’s cyber strategy and help the board evaluate risks that can be accepted, mitigated or transferred.
3. Is there well-defined cyber risk ownership at the board or management level? And have they developed a resilient contingency plan in dealing with a possible cyber breach and changing risk landscape? The evolution of cyber risks calls for attention at multiple levels: from the board and senior leadership, to internal audit, risk management and cyber teams. While the board should be responsible for ensuring that cyber strategies are created and subsequently implemented by leaders, companies also need to provide feedback on the outcome of these strategies to the board. In addition, it’s important for the board to be up-to-date on changing cybersecurity models, such as the movement from the flawed castle-and-moat approach to the more stringent and robust zero-trust model. This will help companies tackle more sophisticated attacks and make informed decisions in real-time.
4. Is there a strategy to identify and hire diverse cybersecurity talent?
   Updates and changes to the regulatory environment, legal and compliance landscape, and business processes have broadened the skillset that modern cyber teams require. The cyber workforce gap is wide, with a 2020 (ISC)² study estimating it encompasses more than 3 million open jobs. Organizations cannot automate or outsource their way out of such a large gap; they face the need to create a diverse cyber culture that attracts and retains professionals. The board can actively adopt and sponsor a more concerted effort in hiring diverse talent, resulting in unique perspectives from skilled individuals.
5. Has management factored in risk with third parties, including outsourced IT, cloud service providers and other partners, in its cyber strategy? With cyberthreats becoming more sophisticated and pervasive, it greatly benefits businesses to have proactive security mechanisms across the entire organizational ecosystem, including with business partners, contractors and other vendors – ensuring these third-parties have acceptable levels of cybersecurity.

Adopting and implementing a proactive, top-down approach to cybersecurity enables organizations to mitigate risk and gain a competitive advantage. Successfully creating a culture of cybersecurity is now atop the board’s priorities. With robust cyber oversight now, companies can anticipate – and act on, with confidence – what’s new and next.