April 24, 2023
Cybersecurity has become a top-of-mind concern for many C-level executives and board members. Data breaches are a daily occurrence and carry a hefty — and growing — price tag averaging $4.35 million worldwide, according to the latest Cost of a Data Breach report.
However, this is only one of several potential cybersecurity risks that an organization can face. As cybercrime becomes more professionalized and sophisticated, companies face a growing risk of being the target of subtle, sophisticated, and expensive attacks.
Cyberattacks pose a major threat to a company’s viability and profitability. As a result, it is the board’s responsibility to take an active role in tracking and managing the corporate risk management program.
For non-technical board members, understanding, discussing, and making informed decisions regarding cybersecurity topics can be difficult. The following best practices can help a board to improve its visibility into and ownership over the corporate cyber risk management program.
A significant portion of an organization’s cybersecurity vulnerability is tied to its culture. If cybersecurity is not a priority when making strategic decisions, it will be passed over in favor of other priorities. If employees don’t understand the importance of strong cybersecurity, they are more likely to try to evade security controls and put the company at risk.
One of the board’s key cyber risk management responsibilities is instilling a culture of cybersecurity in the organization. This involves ensuring that the company’s CISO has a seat at the table for key decision-making and ensuring that cybersecurity training is treated as a key business priority, not simply a check-the-box exercise.
The majority of board members come from business backgrounds. This predisposes them to better understand and appreciate certain areas of the business than others. As a result, cybersecurity, as a more technical field, can be opaque to board members, and the board may not have a clear understanding of an organization’s cybersecurity strategy and risk exposure.
While board members don’t need to understand every aspect of an organization’s cybersecurity, they do need to understand the major components of it. For example, the board should be familiar with where sensitive data is stored, backup policies and procedures, third-party risk management and other big-picture topics. Insight into these will enable the board to make more informed decisions about how to manage the organization’s risk exposure.
Often, cybersecurity is viewed solely as a cost center within the organization. The company needs to allocate resources to ensure that it meets compliance obligations and avoids becoming the latest cybersecurity headline. Since cybersecurity investment doesn’t have metrics showing clear value to the business — unlike sales, marketing, etc. — it is often undervalued and under-resourced.
However, most cybersecurity investments bring a clear — and often impressive — return on investment (ROI). Strategic investment in cybersecurity can reduce anticipated expenditures on recovering from cybersecurity incidents and can bring tangible savings in an organization’s insurance premiums.
A key part of properly prioritizing cybersecurity is treating it like any other part of the business. Defining security metrics and quantifying ROI for security investments can enable the board to make intelligent, data-driven decisions that protect the organization against cyber threats.
Many companies’ boards are composed mostly of people with business backgrounds. For many areas of the business, analyzing performance metrics and ROI is a well-established process, making it easier to make strategic, data-driven decisions.
The same is not true of cybersecurity, which is often seen as a technical field with no clear metrics for success or means of calculating the ROI of strategic investments. However, this doesn’t have to be the case.
Kovrr financially quantifies cyber risk on demand. Our technology enables decision-makers to seamlessly drive actionable cyber risk management decisions. To learn more about how to speak the board’s language when discussing cybersecurity risk, book a demo.
May 2, 2023
Highlighted breaches in the Healthcare and retail industries including a recent FBI seize of a popular dark web forums
April 3, 2023
SEC regulations will push decision makers to ensure they have a robust approach to monitoring and mitigating their cyber risk exposure