The number of breached accounts reached a tipping point early in 2019, with the first megaleak hitting the newswires to the tune of 2.2 million breached accounts. In addition, as companies are moving increasingly more applications and data to the cloud, we are seeing an influx in companies that are not securing their cloud resources. There, the numbers are even worse: 2.7 billion email addresses, 1 billion email account passwords and 800,000 applications for birth certificate copies were recently exposed in the most recent incident of this nature. These are damaging leaks of astronomical proportions, and they are certainly turning heads for IT and business leaders alike today. But how important is cybersecurity to those at the board level today?
With 80% of organizations today having experienced a cybersecurity incident so severe it required reporting up to their board of directors, cybersecurity is far from just an IT problem. These are bottom-line impacting events — and certainly brand- and reputation-damaging as well. Think back to one of the most infamous breaches of all time: Yahoo. The company saw a serious impact to both the brand and the business’s financials — the devaluation of its sale to Verizon, for example. But outside of that, in the rush to rectify the situation after a breach, there are countless costs associated with a breach, including compliance-related penalties and the revenue lost from business downtime.
Clearly, given the broad and deep ramifications that just one cybersecurity incident can have on businesses today, cybersecurity needs to become a board-level priority if it is not already. When I last touched on the topic of cybersecurity and the board, I acknowledged that we have come far from a time when board members simply asked, “Are we secure?” They’re now requesting detailed security assessments.
Since we last discussed the topic, how much progress has been made here? How are boards keeping pace with current cybersecurity challenges, and what should we expect from boards with regard to cybersecurity in the next handful of years?
Cybersecurity And The Board, Progress Made: B+
There are two areas of progress happening today. First, there are more companies that now have at least one board member with cybersecurity expertise. This seems to be the going trend — with 35 of the 100 largest companies taking this path. This is a natural and much-needed first step in the process.
And here is the second piece of good news: 42% of board members cite cybersecurity threats as having the greatest effect on their company in 2019, implying that their awareness of cyber risk is at its highest compared to just a couple of years ago. More boards are taking note of the issue.
Cybersecurity And The Board, Requires Work: C-
But there is still one clear area that requires work. Though we are starting to see some companies going all-in, creating an entirely separate board-level cybersecurity committee, this trend is still fairly small. Companies who opt for this path — my company is one of them — are still very much in the minority: only about 10% of companies have a board-level committee dedicated to cybersecurity. Many more companies need to follow suit.
To take it to the next level, companies should not only have a board member with cybersecurity expertise, but an actual board-level cybersecurity committee should become best practice. The committee charter should clearly focus on driving down risk for the business and driving up the visibility needed to ward off those risks.
To make this next wave of cybersecurity and the board an actionable reality, board members need to have actual governance over the security of the companies they serve. To do this, they need to be given proper oversight into how companies protect sensitive customer and employee data. This visibility will then allow them to both govern and advise on the right additional layers of protection required.
But how can we accelerate this trend? One thought is that, similar to the California regulation where it is a requirement to have female representation on public boards, we could envision a regulation addressing the cybersecurity issue, demanding that companies hire cybersecurity-savvy board members.
As cybersecurity governance gets elevated to the highest level in the enterprise, boards need to not only assess risk, but also help recommend, govern and enforce the right preventative measures. Having this all-in focus at the board level is proving increasingly more critical to drive cybersecurity best practices and control to all levels of management.
This post was originally published on Forbes.com.