Whose responsibility within a company is cybersecurity? Should key decisions fall to IT, or should higher management be involved more heavily in day-to-day cybersecurity risk management? Given the large fines and compliance obligations facing companies today, it’s probably obvious to most that data privacy and security is not just a technology issue.
However, a study by the National Association of Corporate Directors found that although 90% of respondents reported that their boards discuss cybersecurity on a regular basis, only 14% of the respondents felt that their board has an in-depth understanding of the relevant risks. Merely discussing cybersecurity is not enough to protect your company.
In addition to a company’s IT department, management and its board should be involved in the company’s cybersecurity plan and process. While board members may not have specialized IT knowledge, the board can and should work to understand the issues and become better equipped to make decisions when it comes to data privacy and security. Below are three steps that a board can take to begin addressing deficiencies.
1 – Assess
First, boards should decide what risks the company faces. Are those issues internal, external, or third party risks? IT-related security issues are only the beginning of this discussion, as companies should consider legal compliance and third party vendors. Many companies take a more granular approach by performing a data inventory and mapping exercise to identify what information the company holds, how it is transferred, and to whom. These issues are also considered in coordination with internal policies and third party contracts to detect risks.
2 – Address
Second, the board must decide how to address each risk. For each risk identified, will the board attempt to avoid, accept, mitigate, or transfer the risk? This decision can be made by determining the likelihood of the event occurring, its potential impact, and how valuable the activities are that create the risk.
- Avoid: Risks that are particularly likely to materialize, cause significant damage, or that result from low-value actions should be avoided by minimizing or eliminating the risk-creating actions.
- Mitigate: Where a risk is less likely, less potentially damaging, or stems from necessary or high-value activity, a company may choose to mitigate by policies, procedures, IT solutions, insurance or other strategies. Some mitigation strategies may involve internal actions, while others may involve transferring the risk to third parties, as with insurance and some IT solutions.
- Accept: If the cost to mitigate is higher than the potential financial impact, or if the risk is particularly unlikely to materialize, a company may choose to accept that risk.
Once the board decides how to address its risks, it should carry out the appropriate action, delegating as necessary. The appropriate action may include purchasing insurance, developing a monitoring plan, or outsourcing certain company tasks.
Recently, many boards have decided to assign additional oversight to these issues by redesigning the management structure of the company. For example, there has been a trend toward adding a Chief Information Security Officer (CISO) as part of the management team. Developing a CISO position allows the company to have a management function that is dedicated to data privacy and security, including cybersecurity. Typically, these individuals have experience in the field and are willing to learn and adapt with the changing environment of data security. A CISO may or may not sit on the board of directors as a connection between the day-to-day operations related to cyber threats and the board’s overall decision-making process.
Other companies may develop direct lines of communication between the technology department and upper management. This communication stream can take many forms, but it is increasingly crucial that management create a culture of awareness surrounding cybersecurity and demonstrate its commitment to the effort.
In addition, every company should have an employee training program focused on current cybersecurity threats and best practices. For instance, there are some red flags that you can train employees to spot with emails or attachments that could save the company from facing a damaging cyber-attack. After developing a program and initially training your employees, updating the program and continued training is important.
3 – Audit
A company should regularly audit, monitor, and revise its cybersecurity and data privacy related plans and procedures to keep the program current and find vulnerabilities. Once those vulnerabilities are uncovered, the company can make an effective plan to address them before an attack happens. In short, the risks, compliance requirements, and best practices in this area are evolving too rapidly for a company’s plan to be static.