Mind the Gap: 3 Ways Corporate Directors Can Improve Their Cyber Fluency

by Sean Joyce

As the stakes continue to increase and boards look to get more involved, here are three things directors can do to become more fluent in the company’s cyber strategy.

© francescoch/iStock/Getty Images Plus

A lesson re-learned from the recent cyberattacks is this: a sophisticated and highly evasive threat actor can be in the heart of your systems for months before it is detected. And for companies to be successful in both deterring and detecting incidents in today’s complex and advanced threat landscape, it’s imperative for their cyber strategy to be connected to the business strategy.

That means that the responsibilities for cybersecurity don’t start and stop with the workforce, CISO, CEO or any other member of the executive team, they roll up to the company’s board of directors. Yet less than one-third — 32 percent — of nearly 700 corporate directors said they understand their company’s cyber vulnerabilities very well. Compare that to 87 percent who are very familiar with the company’s strategy. 

To close that 55-point gap, boards need the CISO to give it to them straight — to be fearless, frank, and candid. And in return, directors must feel comfortable asking even the most basic questions: Who’s accountable on the cyber team? Are we good on basic cyber hygiene like authentication, data back-ups and phishing attack prevention? How often do we have employee cyber awareness training?

As the stakes continue to increase and boards look to get more involved, here are three things directors can do to become more fluent in the company’s cyber strategy.

  1. Ask every business leader who comes before the board: what’s the cyber plan for that? You can ignite major changes — operational and cultural — just by asking this one question of every business executive who reports to the board. Hearing about cybersecurity challenges separate from business plans will not give you the context  that you need to make the best decisions for the enterprise.
  2. Give cyber risk its due. Boards members know that not getting cybersecurity right can increase the likelihood of a reputation-damaging breach as well as the harm it can cause. But CISOs say that boards too often treat cybersecurity as an afterthought, giving it short shrift on meeting agendas. CISOs are often the last item on the agenda, resulting in the proverbial “mad dash” to address even the basic information. How to allocate more time to cybersecurity when meeting agendas are tight? One CISO said the board’s audit committee has invited him to quarterly meetings to educate its members in-depth on cyber topics.
  3. Get to know the topic. Read the preview materials your CISO submits in advance of meetings, and bring your questions. Don’t be shy about asking: chances are, others also want to hear the answers. If you need help understanding cybersecurity, reach out. Consider inviting a CISO from another organization to join the board, or hire an outside consultant to advise you on what you should be thinking about and asking your own CISO.

If the pandemic and the recent cyber attacks have a silver lining, it may be this: boards are paying more attention to cybersecurity, and listening more attentively to their organizations’ security chiefs. And if recent events have taught us anything, it’s that directors need to go beyond the ‘listen and learn’ approach. Boards can make a difference in the major security transformation needed to enable their companies’ more ambitious digital strategies.

Sean Joyce is Global and US Cybersecurity, Privacy & Forensics Leader, PwC US.