There is much ado right now in corporate governance circles about how boards should address cybersecurity-related enterprise risk. Should they make cyber risk an explicit element of the audit committee’s agenda? Should they establish a separate enterprise risk committee with cyber responsibility? Should they establish a technology committee with cyber responsibility, given the rapidly increasing role of technology driving business strategy throughout the global economy? Or should boards appoint members with cybersecurity (or broader technology) expertise?
Governance experts are debating these questions in videos, blogs, articles, and social media. The main obstacle that prevents simple, clear answers is that the situation is different for every board. All companies face the threat and potential inevitability of a cyber intrusion – but that’s their only common factor. Every company’s threat environment is different because each participates in different industries, has different assets that hackers might find valuable, and different vulnerabilities that hackers might exploit. And every board brings unique skillsets into its boardroom.
The resulting dilemma and inaction puts boards at risk of shareholder derivative lawsuits in the aftermath of a cyber breach and works in favor of the cyber criminals. And boards are betwixt and between when it comes to judging how the organization is dealing with its cybersecurity – are they doing enough or too little?
Countless client engagements investigating cyber incidents as well as proactively helping companies prepare to meet future incidents have given me a very pragmatic perspective on these questions. Yes, it would be great if all the world’s major corporations placed at least one technology expert in their boardrooms, preferably one with a concentration in cybersecurity. Companies like Wal-Mart and FedEx have done just that. It’s a very short list that I hope is going to get longer over time.
But what’s more important at this moment in time is a concept I call active inclusion. It’s described in the chapter I wrote, “Establishing a board-level cybersecurity review blueprint,” for the New York Stock Exchange’s Navigating The Digital Age, a new book released this month. Active inclusion states that, in the current environment, all board members should participate in the cyber risk discussion – not from a technical perspective but in terms of assessing the enterprise risk their organizations face from cybercrime.
Therefore, there is one “best” thing every board can do – create a cyber risk committee and include in its charter a task to educate the entire board about cyber risk. Such a committee could consult often with the company’s CIO and CISO, vet their presentations to the full board, and invite outside experts to present. For example, we’re often invited to client boardrooms to discuss cyber risk, current threat intelligence and cyber preparedness – ideas that require cyber expertise and focus that may not be internal capabilities of the organization.
Then, once boards are properly educated about cyber crime, proactive cyber offense – where companies go on the hunt for the cyber criminals who are likely already lurking in corporate networks – will be a natural outcome.
Only such proactive cyber hunting can turn the tide back against cyber criminals.