Cybersecurity governance is now a priority in boardrooms as cyber attacks become more costly disruptive, dangerous and disruptive to businesses. Some boards have added cybersecurity expertise as a director’s qualification to their rosters. Others turn to contractors and third party service providers to bring cybersecurity expertise to the boardroom. Some boards are even using an unpopular method of hiring hackers from red teams to test the company’s systems and determine where their vulnerabilities lie.
There is a disconnect between the priorities that boards declare and what they do to accomplish them. Our research indicates that only 69% of board members are regularly in contact with their CISOs. A significant portion of these board members only interact with their CISOs when they are presenting to the board. These gaps must be filled in order to ensure that the boardroom is in a position to engage with CISOs and be aware of cybersecurity dangers.
To bridge the gap, it’s essential to make cybersecurity a core aspect of every board meeting and to involve directors in meaningful discussions about the threats they face. This requires changing the way that the conversation takes place in the boardroom. For instance, it is possible to introduce an agenda item for cybersecurity along with pre-read materials to be used in meetings to discuss more in depth cybersecurity issues. It is also necessary to make cybersecurity a top priority for the board and establishing a secure culture in the business through leadership from the top and rewarding those who speak up about risk awareness and consequences for the entire management team.