Cybersecurity has become a critical concern for organizations across all industries. Boards of directors have a vital role in overseeing their organization's cybersecurity posture, ensuring that the necessary measures are in place to protect sensitive data, maintain compliance, and mitigate cyber risks. Here are some guidelines for boards of directors to use as a guideline for board oversight of Cybersecurity within their organizations.
Engage a Qualified External Assessor: Hire an external firm that is a qualified assessor of cybersecurity practices. The firm should have no conflicts of interest and be capable of providing critical, objective assessments of the organization's cybersecurity posture.
Conduct Annual Cybersecurity Assessments: Engage your assessor to conduct a comprehensive cybersecurity risk as well as a cybersecurity defense assessment on an annual basis. The assessment results should be delivered independently to the board or a designated board representative, outlining the strengths and weaknesses of the organization's cybersecurity controls and recommendations for improvement.
Approve the company's Cybersecurity vision, including risk appetite, tolerance for a system, and business loss based on evaluating critical functions and systems.
Ensure you receive Quarterly Board-Level Cybersecurity Reporting and Metrics: The CISO should be able to provide consistent Cybersecurity Metrics related to the health of your Cybersecurity operations. Board-level cybersecurity reporting is critical in maintaining an organization's strong security posture. Good reporting enables the board to make informed decisions about the organization's risk management, resource allocation, and overall strategic direction. Reporting is necessary for the board committee with oversight to have a measurement that management is Staff executing a Cybersecurity strategy.
Know the difference between Compliance and Cybersecurity: Great compliance is not good Cybersecurity. Many industries have robust compliance standards intended to set minimums that can be up to 10 years behind prevailing cybersecurity industry best practices. Your companies cybersecurity plan should match the risk appetite set by the board and have robust capabilities in place to provide a defense in depth with capabilities such as Identity and Access Management (IAM), Threat Detection and Response (TDR), Vulnerability Management (VM), and Data Loss Prevention (DLP) among others.
Implement Separation of Duties: Ensure a clear separation of duties between the Chief Information Officer (CIO) and the Chief Information Security Officer (CISO). This separation ensures that the CISO can focus on security-related issues without conflicts related to broader IT management. Consider having the CISO report to CFO or COO to separate these duties further.
Engage a qualified Director: The SEC is clearly on a path to require boards to have an independent director qualified in Cybersecurity and a clear and consistent process to monitor Cybersecurity health akin to the obligations to have a qualified financial expert and constant oversight and reporting related to the financial health of the company. You should get ahead of this requirement and begin to engage now, as changes in Cybersecurity maturity require time, budget, and patience.
Engage in Active Dialogue with the CISO: While in-depth reporting and metrics are the baselines. Beyond reporting board should engage in meaningful discussions with the CISO to gain insights into the organization's cybersecurity strategy and challenges. Sample questions for the board to ask to include:
- What is our cybersecurity strategy, and how does it align with our business objectives
- What cybersecurity capabilities do we need to enhance, and what are the cost and risk tradeoffs we should consider?
- What is our highest risk, and what actions do we need to take to mitigate it?
- What areas of the business are most at risk?
- How can we reduce our risk?
Effective cybersecurity oversight requires proactive engagement and a commitment to understanding the evolving cyber threat landscape and constantly evolving the company's plan to address the risks and the tradeoffs needed to budget effectively for improving the company's Cybersecurity to protect the company adequately. In closing, the board should ask the question if the internal team has the skills, resources, and budget to support your cybersecurity vision and consider cybersecurity managed services or outsourcing as an enabler of rapidly acquiring the required cybersecurity capabilities. By following these guidelines, boards of directors can enhance their oversight of cybersecurity practices, mitigate cyber risks, and contribute to the overall security and resilience of the organization.
About the Author: Ben Trowbridge is an accomplished Outsourcing Consultant with extensive experience in outsourcing and managed services. As a former EY Partner and CEO of Alsbridge, he built successful practices in Transformational Outsourcing, BPO, Cybersecurity assessment, IT Outsourcing, and Cybersecurity Sourcing. Throughout his career, Ben has advised a broad range of clients on outsourcing and global business services strategy and transactions. As the current CEO of the Outsourcing Center, he provides invaluable insights and guidance to buyers and managed services executives. Contact him at [email protected].