Since the initial release of our corporate executive and board of director cybersecurity white paper, the heat on corporate boards and corporate leadership teams has only grown hotter. In early September, the Financial Times wrote a piece with the ominous headline: “Why the Focus is Shifting to Boards on Cyber Security.”
In a notable warning, Rupert Krefting, head of corporate finance and stewardship at M&G Prudential said: “We see cybersecurity as a key emerging risk. It is hard for us to judge if they [management and board directors at listed businesses] really do know the technology risks because they are not prepared to talk about it.
In early October, according to NextGov, FBI Director Christopher Wray implored corporate board members to work with the federal government to secure their data and computers systems from foreign hackers. Wray reportedly said: “I get that there’s a reluctance out there sometimes to turn to the feds when you’re hacked. In our eyes, you are and should be treated as victims but, time is of the essence in these cases.”
Research and analysis of this topic also continues. A new survey from the Economist Intelligence Unit finds that 40 percent of corporate executives say the board of directors should oversee cybersecurity policies, while 24 percent back creation of a specialized cyber committee.
And CompTIA released a new report entitled, "2018 Trends in Cybersecurity: Building Effective Security Teams," which explores what organizations are doing to secure data and handle privacy concerns in an environment that continues to grow in complexity. The report looks at the ways that companies are forming teams around security, using both internal resources and external partnering. Ensuring that these teams have input to corporate executives and the Board is crucial.
One key area of examination in this new CompTIA report is around the use of security metrics to measure success and inform investment decisions. Though just one in five organizations makes heavy use of metrics within their security function, a full 50 percent of firms surveyed are moderate users of such measurements. The use of metrics in the cybersecurity realm provides an excellent opportunity to bring together many parts of the business. From the board level through layers of management down to the people executing security activities, all have a vested interest in setting the proper metrics and reviewing progress against goals.
We can be sure that investors, regulators and others will be looking at such metrics to help gauge how well companies are positioned in terms of expertise to address cybersecurity risk, and how well-informed corporate boards are to provide direction in this critical area of corporate governance.
More than ever, corporate executives and boards of directors must act. The time for ignoring cybersecurity policies and procedures is over. In that spirit, our guide on building a culture of cybersecurity only gains in relevance.To access and download the white paper, go here.