This is the newest installment of a recurring monthly guest column by Envision's COO, Jason Albuquerque, featured on Providence Business News. In this article, Jason shares his thoughts on responsibilities and challenges, and some recommendations, for boards to help lead their organizations through the barrage of cyber threats.
To read this article and get more critically important news and information, check out our other security-focused posts and subscribe to Providence Business News on their website, www.pbn.com
By the end of this year (2023), the cost of cyberattacks globally is projected to be upwards of $10.5 trillion. This astonishing impact on businesses shows the need, more than ever, for cyber resilience and risk to be part of strategic planning at every level of organizations. Most importantly in the boardroom. Gartner Inc. recently predicted that by 2026 70% of all corporate boards will have at least one member with cybersecurity expertise. But we are a long way from that today.
As we prepare to dive into 2024, the complexity of navigating today’s business environment and risks is not getting any easier. Boards of directors find themselves in an interesting place, where the traditional approaches to cybersecurity that involve simply investing in tools and technologies for protection, have proven insufficient. Today, we face a barrage of cyber threats and the key to our success is building resilience in our business. I would like to dive into the responsibilities and challenges, and some recommendations, for boards to help lead their organizations.
The responsibilities of the board are shifting. Boards are charged with overseeing operational and strategic decisions. They bear higher levels of fiduciary responsibility to manage cyber risk. But they often find themselves in uncharted territory when it comes to cybersecurity. For many boards, cybersecurity is not even a dedicated topic or may simply be grouped into other discussions. The challenge we face is how to bridge the gap between technical details and business-level insights necessary for boards.
"Findings showed that only 1.4% of S&P 500 companies have a former or current cybersecurity executive on their board"
- ENVISION'S COO JASON ALBUQUERQUE
The absence of cyber proficiency on boards is also a challenge. In its “What Directors Think 2023” report, Diligent Institute surveyed 300 U.S. public company directors about the biggest challenges facing them. Findings showed that only 1.4% of S&P 500 companies have a former or current cybersecurity executive on their board, and 52% of those surveyed stated that they have board members with only a loose connection to cyber skills. Alarmingly, only 12% of S&P 500 boards have a cybersecurity leader, such as a chief information security officer. By the way, almost 40% of those board members surveyed stated that cybersecurity was one of their biggest and most difficult challenges.
The good news is that boards are beginning to see the importance of managing cyber risk and building cyber resilience. Data shows that there is growing interest in recruiting cyber leadership on boards. But the progress is too slow.
To make exponential progress, we must adapt at the board level. Today’s modern board of directors should be actively recruiting cybersecurity expertise. Look to add a cyber leader directly to the board. And don’t hesitate to seek out external cybersecurity expertise to offer insights and guidance.
A proactive board should prioritize the education of existing board members on cybersecurity. Don’t fall victim to those pitching the latest industry jargon or the latest greatest tools on the market. Instead, invest your efforts and shift your focus to business risks, truly identifying how cybersecurity risk impacts revenue, privacy, compliance, growth and other strategic aspects.
Today’s board members should perform periodic tabletop exercises, discussing and preparing for worst-case scenarios. Only then can you ensure rapid and informed decision-making during a cyber incident.
Collaboration is essential. Boards need to invest time in exploring partnerships within and outside of their industry, to share best practices. Participating in public-private partnerships with government agencies can also help strengthen cyber acumen.
Ultimately cybersecurity should be built into the very fabric of an organization. New threats to businesses appear every day, and the approach goes well beyond new tools and protections. Only with a high level of strategy, support, leadership and diligence can cyber resilience be a pervasive force at every level, in every facet of business.
