In an article published by the SMLR Group back in June 2015, “Digital Security is a BOARDROOM Problem,” author Mikko Hietanen wrote:
“Digital attacks can threaten an organization’s global reputation and at its very worst, its ability to operate, making online security a key business governance issue. Business leaders who relegate security to the IT department risk significant business damage: the results of a successful attack can include financial loss, loss of Intellectual Property (IP), Privacy Act non-compliance and sabotage . . . Boards need to recognize that a cyber attack will happen at some stage and that cyber security is a matter for the entire business. . . These attacks are operational business risks, not just IT risks.”
This article really hits the nail on the head. Cybersecurity isn’t just about protecting the IT infrastructure of a company. It’s about protecting the business itself – the information, processes, procedures and day-to-day activities that define a company.
When it comes to cybersecurity, companies may have board members who are not “cyber savvy” and are unable to understand the risks to the business. This isn’t just about having your email hacked, folks. If only it were that simple, then we could all throw money at better security, software programs, hardware updates and monitoring and call it a day. The truth is, a cyber attack leaves your entire business exposed, and the future of the company may come into question in an instant – that’s why cybersecurity is a boardroom issue.
A board functions as an overseer of a company’s long-term success by guiding the company’s direction and affairs while making sure the interests of the stockholders and other stakeholders of a company are met. Cybersecurity is a boardroom issue because it has a direct impact on the company’s relationships, its information and, ultimately, its permanence. Boards now have the added responsibility of not only understanding the cybersecurity vulnerabilities of their companies but also being able to anticipate the business impact that breaches could have. Boards must be able to react quickly while protecting their organizations’ prosperity – not an easy task when you are in crisis mode.
In this age, there is a reasonable expectation that the board and senior-level executives should be held accountable for a company’s cybersecurity measures. In the wake of a cyber breach, will board members be held responsible for not directing their executive team to strengthen their cybersecurity, if they have not already done so? For example, if PSA were to be breached and we had not taken any action to provide reasonable cybersecurity protection prior, would I be held responsible as CEO? I think the answer is yes. Would our board members be held responsible? I think at a minimum, the board members have a responsibility to the stockholder to question the senior team regarding cybersecurity and hold the leadership accountable.
Many times board seats are not filled with IT experts and cybersecurity professionals. Frankly, cybersecurity is still a relatively new topic in most boardrooms, and the pace at which the conversation changes is blinding. The boardroom needs to become home to regular, consistent dialogue on this subject. Formulating a response plan in the wake of a breach to protect the company‘s reputation is one place to start. Cybersecurity isn’t just about protecting the information inside the walls of the company; it is also about protecting the legacy of the company as well. It’s not enough anymore to understand that there is a problem. Boards and senior leaders need to be having conversations about real solutions and continue to make that conversation part of the fabric of the company. It’s our responsibility to our customers, our employees and the future of our company.
About the Author
Bill Bozeman is president and CEO of PSA Security Network.