The Board’s Role in Managing Cybersecurity Risks

The central theme of this piece can be summed up by its subtitle: “Cybersecurity can no longer be the concern of just the IT department. Within organizations, it needs to be everyone’s business — including the board’s.” In other words, this article explores how cybersecurity breaches have become so commonplace that they are changing the roles of every member of a company, including the board members. The author’s use the 2013 data breach of Target as an example of how a cyberattack can negatively affect upper management and board directors; in this example, there was a shareholder lawsuit against Target’s directors and officers which ultimately did not find them to be at fault. However, the authors argue, there are likely to be more cases like this in the future, and therefore boards should make changes to better prepare for the inevitable cyberattack. The first major finding in this article is that most board members cannot even begin to ask questions about cybersecurity because they know so little about it. Without even a fundamental understanding of the problem, then they obviously cannot begin to make strategic decisions about building a resilient company. Finally, the article proposes a 4-part routine for best practice in this arena. The first and second parts obviously deal with educating leadership and creating a “common language” to abstract the technical details out of the conversation. This bridges the gap between technical experts and these upper level managers. The third step in this plan is to distinguish between security (software and other technology to prevent and detect attacks) and resilience (being able to continue business and minimize loss in the event of an attack). Finally, the fourth step is to come up with both a plan for security as well as resilience. Key Words: Resilience, security, management, board members