The Board’s Role in Cybersecurity Is Changing

According to cyberlaw expert Michael Yaeger, corporate boards have a responsibility to start taking cybersecurity seriously.

According to the National Association of Corporate Directors (NACD), nearly 90% of the collective market value of the Fortune 500 consists of intellectual property (IP) and other intangible assets. The overwhelming majority of these assets — or at least a copy of them — are stored on some sort of computer system, likely one that is connected to the internet.

This enormous pivot from physical to digital assets has forced corporate boards to redefine their approach to one of their key responsibilities: risk management. In the event a company falls prey to a major cyberattack, it risks losing valuable IP and/or trade secrets, litigation brought by affected customers or business partners, and extensive reputational damage that ultimately leads to a plummeting stock price.

That’s why it’s so important that every employee does everything they can to protect their company’s digital assets from crippling cyberattacks. Skytop Strategies Founder & CEO Christopher P. Skroupa recently sat down with cyberlaw expert Michael Yaeger to discuss why board members have an especially keen interest in enacting cybersecurity best practices and wielding their influence to ensure that others in the company follow suit.

 

Striking the Right Balance between Oversight and Overreach

As important as cyber risk management has become, Yaeger is careful to point out that, at the end of the day, cyberthreats are just another variable to factor into a board’s risk assessment.

“The board must ensure that the company has cyber risk management policies and procedures consistent with its strategy and risk appetite,” he argues. “The board must [also] ensure that these policies and procedures are functioning.”

But how? According to Yaeger, boards should make a concerted effort to review their company’s privacy and cybersecurity budgets, assign critical security responsibilities to specific, accountable individuals within the company, and solicit regular briefings on these issues. Depending on the circumstances, this should all happen as often as once a quarter.

That said, Yaeger also emphasizes that micromanagement does not amount to effective management — far from it. “The board cannot and should not be involved in managing risks on a day-to-day basis,” he says. “It’s not possible and it’s not advisable…the board doesn’t need to know how many alerts there were on the intrusion detection system.”

If a breach does occur, it’s incumbent upon the board to act quickly and decisively to contain and eradicate the threat (Equifax offered a prime example of what not to do in this respect). But as Yaeger makes clear, paving a way forward is the board’s most important job in the wake of a breach.

A company’s IT professionals are the individuals who are going to be tasked with the actual containing and eradicating — it’s up to the board to take the long view, evaluate what went wrong, and craft an action plan that ensures the same vulnerability isn’t exploited again.

As Yaeger summarizes, “All breach response should eventually reach the point where management is seeking to learn from the breach for the future…Breach response is a circle, not a line.”

 

Managed IT Services: An Increasingly Popular Solution

Yaeger’s advice is all well and good, but the fact of the matter is that many corporate board members are ill-informed when it comes to cybersecurity. In one NACD survey, while nearly 90% of respondents reported that their company’s board discusses cybersecurity “on a regular basis,” a mere 14% of the same respondents believed that their board had a “high” level of knowledge about cyber risks.

That’s one of the reasons why, according to a Gartner press release, “By 2020, 40% of all managed security service contracts will be bundled with other security services and broader IT outsourcing projects, up from 20% [as of August 2017].”

At Turn-key Technologies (TTI), we’ve been providing award-winning managed IT services for nearly three decades. We understand that no two companies are the same, and we possess the know-how needed to help any company fortify its cybersecurity posture, regardless of its broader risk tolerance.

By partnering with TTI, companies are able to engage in better, more mature cybersecurity operations, helping them rest easy knowing that their precious digital assets are as safe and secure as possible.

By Craig Badrick

05.23.2018

Sign up for the TTI Newsletter