Cybersecurity: Elevating the Board's Role in Cyber Protection
Written on
Understanding Cybersecurity as a Leadership Imperative
For the last two decades, the realm of cybersecurity has predominantly been treated as a technical challenge, often relegated to technologists and their tools. Despite the surge of cyberattacks that have shaken various sectors in the past ten years, many organizations have failed to truly integrate cybersecurity into their board-level discussions, despite the facade that it occupies a place on their agendas.
Typically, cybersecurity issues only surface during board meetings under the guise of governance, often prompted by independent directors or auditors, or in the aftermath of incidents or near-misses. Generally, it remains an operational concern, something the board acknowledges but does not prioritize as a core issue.
Historically, it has been considered a component of enterprise risk management. However, with the growing acceptance of the inevitability of cyber threats, it has begun to be viewed through a broader lens of volatility, uncertainty, complexity, and ambiguity (VUCA). This shift is beneficial as it aligns with the patterns of the increasing cyberattacks, particularly those linked to state-sponsored actors.
Competence Concerns in the Boardroom
Nonetheless, doubts often arise regarding the board's capability to navigate these issues: Are board members digitally literate enough to grasp the stakes and make informed decisions?
These concerns can be addressed in two ways. First, specific expertise can be introduced when necessary, which is an aspect of good governance. Second, it is crucial to understand that cybersecurity has always transcended mere technicality—a message that has struggled to resonate at the board level over the years.
The Shortcomings of a Technical-Only Approach
The time has come for senior leaders to recognize that relying solely on a technical approach to cybersecurity has proven insufficient for safeguarding large organizations from attacks. This is not merely due to the evolution of cyber threats, but also because the complexities within organizations—functionally, geographically, and politically—hinder the effective implementation of protective measures, despite significant investments in technology and consultancy services.
Continuing to view cybersecurity through a strictly technical lens undermines the seriousness of the issue and stifles the emergence of genuine long-term solutions, partly because it drives away real talent.
Implementing a Comprehensive Defense Strategy
To shield large organizations from cyber threats, a layered defense-in-depth strategy is essential. This approach should encompass controls at the levels of people, processes, and technology, all structured around clear accountabilities that span the entire organization, including IT, HR, various business units, and senior management.
Establishing such a protective framework necessitates a shift in governance and often a cultural transformation regarding control and business protection. It is not merely about acquiring more technology; it is about integrating cybersecurity—protecting the business from cyber threats—within a broader framework of controls and the organization's culture.
The Board's Leadership Role in Cybersecurity
Real change can only be driven from the top down, making it imperative for boards to possess the leadership skills, authority, and political acumen necessary to foster this transformation. Delegating cybersecurity to technologists has proven ineffective, as most are trained to focus on functionality and efficiency rather than instilling a culture of control.
The board should not shy away from taking ownership of what has evolved into a leadership challenge in many organizations, particularly where there is a pressing need for cybersecurity maturity and transformation. This is the only viable path forward.
The first video, "How to Get Your Board to Buy into Cybersecurity," provides insights on effectively communicating the importance of cybersecurity to board members and securing their buy-in.
The second video, "Communicating Cyber to the Board Should Not Be Scary," discusses strategies for presenting cybersecurity issues to the board without overwhelming them, emphasizing clarity and confidence.
Join our newsletter for more insights on Cybersecurity Leadership, or contact Corix Partners to learn about establishing an effective Cybersecurity Practice tailored to your organization's needs. Corix Partners specializes in aiding CIOs and other C-level executives to navigate challenges in Cybersecurity Strategy, Organization, and Governance.