How the board can help in the fight against cybersecurity threats
With the proliferation of malware and a rise in threats related to Russia’s invasion of Ukraine, it’s no wonder that businesses are more concerned with cybersecurity than ever. As attacks grow on a yearly basis, companies are having to rethink not only their responses to data breaches and other digital crimes, but also the ways their boards are structured to place cybersecurity near the forefront of operations.
On Wednesday, several executives and security experts discussed these issues and more, at a virtual roundtable no less, for Fortune’s Modern Board series. With many serving on boards for public and private companies, they covered the importance of prioritizing cybersecurity in corporate culture and how critical it is to have experts in the field be part of a company’s leadership ranks.
“A lot of board members are now saying, ‘I don’t have a background in cyber. I don’t understand these terms. I don’t understand what these attacks mean. If the CSO comes in and gives an overview of how we’re protected, I don’t really understand what they’re saying,’” noted Kirsten Wolberg, who sits on the boards of multiple companies including CalAmp and Dynatrace. “A lot more engagement is happening because board members recognize that this is a substantial risk and they need to become educated.”
While other panelists agreed, they noted that this education should be part of a corporation’s culture so that communication is easier and executives can make more informed decisions.
“It’s important to not only think about the CEO’s role or the board’s role, but the whole senior management team of a company. It’s important that this not be seen as the CSO’s job, or even the CEO’s job,” said Atticus Tysen, Intuit’s chief information security and fraud prevention officer. “One of the ways to keep the conversation at the business level is for the CSO and the security team to get the right metrics in place that are business outcome oriented. Different business units or lines of business can make different kinds of decisions of where they want to be on that risk curve. The CSO should be helping them do that and helping foster that conversation between them on the board.”
It also helps, several panelists said, to have a cybersecurity expert on a company’s board. If a board doesn’t have one, its members should—at the very least—grasp how critical this area is to their corporation’s health.
“It’s great if you can find a cyber expert as well, but there’s probably not enough to go around,” said Diligent president and chief operating officer Lisa Edwards. “It’s not the board’s business to run cybersecurity for these companies. It is the board’s business to understand it, become fluent enough to both ask the questions and understand that the answers coming back sound right or not to challenge those answers, to prioritize actions around it, to have a strategy around it.”
As Edwards added, a “tone at the top” around cybersecurity needs to be set by boards and leaders so when threats inevitably arise, everyone is prepared. And to be more resilient against attacks, companies should be proactively thinking about prevention rather than reactively addressing any security issues.
“The environment of what customers expect of us as responsible companies and what regulators expect is also evolving,” said Tysen. “As we’re going through these shifts, we’re re-architecting and reimagining our products, and learning that we have to shift how we think about security and fraud prevention and design it in from the beginning. This is really quite different than in the past, where we were trying to secure something after it was ready to go to market.”
“You have to have the constant communication throughout the organization and also at the board level, and you have to be thinking towards the future,” Wolberg said, adding that boards should consider having crisis teams in place to handle emergencies. “You need a ransom negotiator even if you aren’t going to pay a ransom, so who is your ransom negotiator? Who are your communication professionals, and what types of incidents have they been involved in? Who is the core nucleus of the crisis management team within the company that’s going to be brought to bear in time of crisis? It’s proactively building security in and then really looking at, ‘What do we need to have in place for when an incident does or large incident does occur?’”
On the plus side, all this anxiety around cybersecurity has led to some positive developments in the corporate world, both in technological improvements and collaboration across companies to combat threats.
“We talk about shared defense strategies where we can, as a community of professionals, be sharing what we’re seeing, early signals, best signals. It’s not just around an incident,” said Tysen. “The biggest barrier that I’ve seen is around litigation, but other than that, I do think the walls are breaking down. There’s also more openness between government and private. The government is making quite good strides in that area, trying to make it less about coming in with a law enforcement mindset and more of a ‘How do we help?’ mindset.”
“I see information sharing as the trust currency for operational collaboration,” added Dell vice president and business unit security officer Bobbie Stempfley. “We realized that not only do we need to rise all boats, but we need other people arm in arm with us in order to meaningfully take the actions that need to be taken. If we do this right, we have governments and the private sector working together.”
And when it comes to boards themselves, the focus on cybersecurity is helping them grow into more knowledgeable and comprehensively functioning units.
“Trying to find a cybersecurity expert to sit on the board, the regular [talent] pools don’t work,” said Sue Siegel, chairman of MIT’s the Engine. “The good news is it allows for first-time directors to actually be able to come on board because now we’re looking into the functional positions that are no longer just CEOs or CFOs. We are looking at details. We are looking at folks that have had roles that encompass cybersecurity, and I think it’s a very, very healthy evolution. Not just because of the ability to expand boardship for so many, but also because we are looking for expertise in the right place. It’s not easy, but the tone of how to bring people on board and the level at which you bring them on board has really expanded.”