Are the directors on-board the cyber security train?

Cybersecurity is no longer the sole responsibility of the technical people, or even the CIO. Following the Target breach (where immense pressure was placed to replace most of the board members after the breach), and board members of Target and Wyndham Worldwide (hotel chain) face derivative lawsuit related to the data breaches. Recent survey reveal that nearly half (45%) of senior management acknowledge that the C-suite and senior leadership themselves are responsible for protecting their companies against cyber-attacks, and the U.S. Securities and Exchange Commission recently published a paper on the Role of the Boards of Directors in Overseeing Cyber-Risk Management, where it recommends:

Cyber-risk must be considered as part of the board’s overall risk oversight: “boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”

Boards should assess the corporation’s cybersecurity measures including corporate policies and annual budgets for privacy and IT security programs. And perhaps, more critically, highlights the significance of cyber-risk education for directors, ensuring that the board be at least adequately represented by members with a good understanding of information technology issues that pose risks to the company.

(http://www.sec.gov/News/Speech/Detail/Speech/1370542057946)

So how are insights manifested in real-life? We asked Carmi Gillon, Cytegic Chairman of the board and an acting director in several companies what he thinks. Carmi Gillon:” I’ve been serving on several boards for the past decade. Throughout this period we’ve all witnessed the increase importance of cybersecurity. Especially during the last year, this is an issue that was raised time and again in board meetings, and for good reason- we understand that boards are now responsible for proper implementation of cybersecurity measures and safeguarding customer data. With this in mind, we are now more reliant on information that is being presented to us by the CIO and CISO. I have always insisted on receiving only relevant, timely information to support my decision on any matter, and cybersecurity-related decisions are no different. This is even more acute with executives who have no IT or security background. Therefore we now insist that the information (be it cybersecurity forecast, risk assessment or spending projections) to be as detailed as possible. After all, we need to look at the business from a wide perspective and make sure the decision we take in one area (for instance- to invest more resource into cybersecurity) will not affect other parts of the business. To make such informed decisions we ask the IT executives to speak in our language- and translate very technical talk into business talk. Only then we can assure we are making sound, responsible decisions.

Cyber crime is a strategic threat to companies and organizations in finance, healthcare, utilities and other factors. Since this threat is so menacing, the duty of senior executives to deal with the issue, rather than leaving it to the responsibility of a professional or technical personnel.