We’re writing this week to highlight some of the ways in which President Obama’s evolving views on cybersecurity can help guide corporate governance of data security risks. In an interview with Wired Magazine, the President admitted that he is rethinking his own view on cybercrime: comparing it to a “pandemic” no longer addressed by traditional means such as the latest and greatest defensive technologies.

As a starting point, the President observed that cybersecurity threats no longer resemble traditional security threats that can be protected against using “armor and walls” – or, by extension, stronger firewalls. Instead, the President is “looking to medicine” and “public health models” because “you can’t build walls in order to prevent the next airborne lethal flu from landing on our shores.” Instead, we need to “set up systems…to make vaccines a lot smarter.”

The takeaway for cybersecurity governance is that, although building up defenses to prevent cyberattacks is important, undetected vulnerabilities and cyber-attacks are inevitable. As such, it’s essential to invest not solely in defensive technologies but in cybersecurity response preparedness, rapid response protocols and cybersecurity governance safeguards.

For businesses, that means that cybersecurity is not just an IT issue, and although it is essential to identify and reduce risks and increase employee awareness on how to detect phishing attacks and properly dispose of sensitive documents, there are additional, equally important measures you can take now to proactively prepare to manage security incidents if and when they arise. As we have reported in the wake of recent high profile attacks, such measures include developing a protocol for how to deal with a data breach based on the specific technology infrastructure at your company while keeping in mind relevant legal requirements such as breach notification statutes. Once you have an incident response plan in place, conduct tabletop exercises to stress test the plan and ensure that key employees understand their roles and responsibilities. Also consider what steps you’ll need to take to ensure that privileged activities and communications are protected by the attorney-client privilege.

These are complicated and nuanced issues that require an enterprise-wide commitment, but as President Obama said in his interview, we need to “make different investments that may not be as sexy, but actually may end up being as important as anything.”