(September 25, 2023) Board members have traditionally had little involvement in the specifics of cybersecurity, leaving those matters to chief information security officers (CISOs). However, according to estimates by Statista Market Insights, cybercrime cost the global economy more than $7 trillion in 2022 and is expected to double by 2028. Nasdaq estimates that data privacy issues caused a loss of $1.4 trillion in market capitalization for public companies in the first half of 2022. If cybersecurity and privacy were a country, it would have the third-largest GDP. Since data breaches represent an existential threat to many organizations, cybersecurity is increasingly becoming a board-level issue. Now is the time to make the Board of Directors your cybersecurity ally.
The Federal Trade Commission (FTC) has stated that “data security begins with the Board of Directors, not the IT Department,” and has urged boards to receive regular cybersecurity briefings. The FTC has also called for boards to “build a team of stakeholders” who “bring a different perspective to the issues,” and to assemble a standalone or audit committee with cybersecurity oversight.
Raising Awareness
Although directors may lack a solid understanding of cybersecurity technologies, it is worth the CISO’s time and effort to bring them up to speed. Directors who can intelligently discuss these matters will help ensure that cybersecurity gets the attention it deserves. Additionally, an engaged board can set the tone throughout the organization by creating a culture of security awareness.
When discussing cybersecurity with directors, it is essential to provide solid information that’s free from industry jargon. Board members likely understand the business-critical nature of IT, but that doesn’t make them technology experts. Clear, concise presentations that identify risks and offer solutions will have more impact than highly technical reports describing arcane performance indicators and byzantine architectural descriptions.
Here is some of the basic information that will help keep board members engaged in cybersecurity efforts:
Describe your company’s level of risk. This could be a summary of the organization’s critical information assets, the probability of exposure based on current trends and safeguards, and the potential financial impact of a successful attack or breach. Also, try to quantify how a successful attack will affect the company’s reputation, brand and partnerships.
Outline the current risk landscape. Present information on the number and types of attacks that are of greatest concern. For example, as organizations move more workloads into the cloud, the board should be aware of increases in compromised cloud accounts. In addition, you should be able to discuss what measures you are taking or would like to take to reduce the company’s exposure.
Detail your incident-response plan. Describe how IT identifies, contains and eradicates any threats, and your process for recovering any affected systems or data. This should include a discussion of backup, disaster recovery and business continuity plans.
Provide context for cybersecurity spending. Monitoring and evaluating company spending are among the basic responsibilities of the board. Provide ROI data to illustrate how dollars are being spent. Compare and contrast the costs of preventive security measures against the cost of remediation.
How Mainstream Can Help
That’s not an exhaustive list, but it should be enough to get a conversation started. Given the scope and cost of the cybersecurity threat, directors need to understand what can sometimes put the company at risk. It is up to the board to then determine the organization’s tolerance for risk and empower executive leaders to set appropriate policies.
Mainstream can assess your governance structure and IT environment in the context of your internal requirements and any applicable external compliance requirements. We can then provide insights for your board on the levels and types of risks to the organization from cyber threats and noncompliance. We also offer consulting services and solutions to reduce that risk by improving your security and maintaining compliance.
ABOUT MAINSTREAM TECHNOLOGIES
Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology services and consulting, custom software development and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.
Jeff Pracht
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile
