Five cybersecurity questions that boards should consider

With today’s increased digitalisation and work-from-home models, organisations have seen a rise in security breaches. And while the onus was previously on network security teams to prevent cyberattacks, now the board of directors is being viewed and held accountable, as custodians of organisational data.

Boards face the need to not only include cybersecurity on their agendas, but also periodically execute cybersecurity strategies, in coordination with corporate leadership. At many organisations, this begs the question: What steps can (and should) the board take to protect the company, as well as minimise damage in the event of a breach?

Deloitte’s recent report, “The Changing Role of the Board on Cybersecurity,” addresses these questions and underscores the importance of a top-down approach in creating more secure and resilient organisations. As potential attack surfaces increase in more distributed and homebound environments, here are five questions that companies and their boards can consider in order to foster a strong cybersecurity posture.

1. Is there a holistic approach to tackling cyber-related matters? Analyses of cyberattacks reveal that it’s not only technology breaches that lead to security incidents, but also the exploitation of well-meaning employees, who lack adequate preparedness. In addition to robust technology and monitoring, a holistic approach to cybersecurity requires active participation from a number of parties. This includes making cybersecurity the responsibility of each individual in the organisation and empowering them with basic threat awareness and response techniques.
2. What are the “crown jewels” that we must protect? Does management review them and make changes? As organisations operate in a digital world and as threats from adversaries increase in sophistication, there will always be gaps in cybersecurity controls. It’s important for companies to identify certain key assets or “crown jewels” and categorise them based on their value. These categorisations will influence an organisation’s cyber strategy and help the board evaluate risks that can be accepted, mitigated or transferred.
3. Is there well-defined cyber risk ownership at the board or management level? And have they developed a resilient contingency plan in dealing with a possible cyber breach and changing risk landscape? The evolution of cyber risks calls for attention at multiple levels: from the board and senior leadership, to internal audit, risk management and cyber teams. While the board should be responsible for ensuring that cyber strategies are created and subsequently implemented by leaders, companies also need to provide feedback on the outcome of these strategies to the board. In addition, it’s important for the board to be up-to-date on changing cybersecurity models, such as the movement from the flawed castle-and-moat approach to the more stringent and robust zero-trust model. This will help companies tackle more sophisticated attacks and make informed decisions in real-time.
4. Is there a strategy to identify and hire diverse cybersecurity talent?
   Updates and changes to the regulatory environment, legal and compliance landscape, and business processes have broadened the skillset that modern cyber teams require. The cyber workforce gap is wide, with a 2020 (ISC)2 study estimating it encompasses more than 3 million open jobs. Organisations cannot automate or outsource their way out of such a large gap; they face the need to create a diverse cyber culture that attracts and retains professionals. The board can actively adopt and sponsor a more concerted effort in hiring diverse talent, resulting in unique perspectives from skilled individuals.
5. Has management factored in risk with third parties, including outsourced IT, cloud service providers and other partners, in its cyber strategy? With cyberthreats becoming more sophisticated and pervasive, it greatly benefits businesses to have proactive security mechanisms across the entire organisational ecosystem, including with business partners, contractors and other vendors – ensuring these third-parties have acceptable levels of cybersecurity.

Adopting and implementing a proactive, top-down approach to cybersecurity enables organisations to mitigate risk and gain a competitive advantage. Successfully creating a culture of cybersecurity is now atop the board’s priorities. With robust cyber oversight now, companies can anticipate – and act on, with confidence – what’s new and next.

• To learn more about Sustainability, please visit Climate & Sustainability website
• To learn more about TPRM, please visit Third Party Risk Management website
• To learn more about Cyber, please visit Cyber website

Return to the Responsible Business home page to discover more insights from our leaders.