Engaging the Board in Cyber Security Policies

Cyber security is often an aspect of business operations in which board members find it challenging to stay actively involved and to give meaningful direction to the organization. This is sometimes due to, or is at least frequently attributed to, the inherently complex nature of modern IT systems (and the equally complex security mechanisms placed around them) being beyond the technical understanding of most board members. But, as has been emphasized in previous Kroll Fraud and Risk Reports, it is more often the human element that leads to cyber crime, fraud, and data breaches. This is certainly an area where board members and senior business leaders can and should be playing a truly important role.

It appears from Kroll’s latest Global Fraud and Risk Report survey that organizations are coming to this realization as well: 22% of respondents will be expanding their current use of board engagement to mitigate cyber risk, and nearly half (40%) are planning to launch new initiatives in the next 12 months to engage their boards.

Leading from the top matters. Employees are all too often referred to as the weakest link when in fact they should be regarded as the first line of defense. Direct involvement and example-setting by leadership should never be underestimated in shaping this mind-set. Trends also show that data losses are more often due to existing business processes that are exploited rather than direct attacks on the technology. Spotting gaps which ingenious attackers may utilize requires business acumen and people skills in addition to technical knowledge.

So how can boards become more effectively involved in cyber security risk mitigation efforts?

Taking steps to become directly involved in thoroughly reviewing cyber security policies and procedures will go a long way toward demonstrating the importance that the board assigns to the subject. But this is only half the story: If led from the top, testing and validating the effectiveness of these policies can be vital in protecting the cyber security health of an organization.

The following seven discussions points form an effective starting point for boards working on establishing an active role in cyber security risk mitigation efforts:

• Do you understand your existing cyber security policies and procedures? If not, there is a need for these policies and procedures to be rewritten in concise and clear language. These documents are only effective if they are immediately understandable and workable.
• Are you getting the answers that you need about your cyber security posture? Indeed, are you asking the right questions? If the IT and/or cyber security leadership cannot properly and fully articulate the strategy for delivering information security, such that this can be fully understood at a board level, then questions need to be asked as to whether the right person is representing the organization in these matters. Boards have a duty to their shareholders and other stakeholders to ask detailed and probing questions relating to the organization’s ability to protect its critical data assets.
• In drawing up the policies and procedures, have you involved all the business heads? Cyber security should not be considered as a silo. This is an organization-wide issue that needs input from leadership across the board, particularly when considering the gaps in business processes that may lead to cyber fraud and business disruption.
• Have you instructed that incident response plans be tested? No matter how clear and well-written the policies and procedures may be, if they are never tested under realistic circumstances, then there is no way to determine whether they will work or not. Cyber crisis table-top exercises (involving leadership) can be the most effective means of identifying (and subsequently remedying) potentially disastrous gaps that would manifest in a real incident. Any test should involve not just your IT/Security team and the points of contact for the executive team and the board, but all those whose expertise you will rely on in the event of an incident – legal, investor relations, HR, external technical experts, external counsel, and the crisis communications teams, to name but a few of the most important stakeholders.
• How are you measuring the effectiveness of cyber security spending? Boards are often asked to approve large sums for cyber security solutions and hires. Yet, what metrics do they have to measure whether these funds have been well spent? Has consideration been given to engaging independent external specialists to test the cyber security defenses in the same way that a real hacker would, without the prior knowledge of the cyber security team? Testing under real-life scenarios is the only way to effectively know if your security is working. In addition to testing, have you considered having your cyber security plans, projects, organization, and budgets reviewed by an independent third party? Companies like Kroll can review your organization’s current state against the threats we see globally targeting others working in your market and geography, and discuss whether your plans are likely to address/detect the threats, and how your resource allocation compares with similar organizations.
• Are you leading by example? Enhanced cyber security often leads to restrictions and tighter controls on device access and usage. When properly explained, it should be realized that these are for the benefit of organizational security as a whole. If boards and executives accept these measures and adopt enhanced security controls (rather than requesting exemptions for convenience), then this sends a message that security starts at the top and must be adhered to by everyone. Personalized messages in support of cyber security education programs can also go a long way to promoting organization-wide awareness and responsibility.
• Have you considered enlisting expert advisors? At the very least, regular board briefings by appropriate and credible cyber security experts is a must. Many boards nowadays are going one step further to engage this expertise in the form of non-executive board members.

Boards are recognizing the steep cost that data losses and cyber attacks are exacting in terms of both shareholder and brand value, not to mention operational and litigation costs associated with remediation. By addressing cyber risk in the same way they do other critical organizational risks – i.e., managing the human factor and enlisting specialist support for legal and technical aspects – boards can play a vital role in safeguarding information assets in ways that meet wide-ranging regulatory and stakeholder expectations.