By: Bill Bozeman, CPP, President and CEO of PSA Secuirty Network
In an article published by the SMLR Group back in June, “Digital Security is a BOARDROOM Problem,” author Mikko Hietanen wrote:
“Digital attacks can threaten an organisation’s global reputation and at its very worst, its ability to operate, making online security a key business governance issue. Business leaders who relegate security to the IT department risk significant business damage: the results of a successful attack can include financial loss, loss of Intellectual Property (IP), Privacy Act non-compliance and sabotage . . . Boards need to recognise that a cyber attack will happen at some stage and that cyber security is a matter for the entire business. . . These attacks are operational business risks, not just IT risks.”
This article really hits the nail on the head. Cybersecurity isn’t just about protecting the IT infrastructure of a company. It’s about protecting the business itself – the information, processes, procedures, and all the day-to-day activities that define a company.
When it comes to cybersecurity, companies may have board members who are not “cyber savvy” and are unable to understand the risks to the business. This isn’t just about having your email hacked, folks. If only it were that simple, then we could all throw money at better security, software programs, hardware updates, and monitoring and call it a day. The truth is, a cyber attack leaves your entire business exposed and the future of the company may come into question in an instant – that’s why cybersecurity is necessarily a boardroom issue.
Boards function as overseers of a company’s long term success by guiding the company’s direction and affairs while making sure the interests of the stockholders and other stakeholders of a company are met. Cybersecurity is a boardroom issue because it has a direct impact on the company’s relationships, information, and ultimately its permanence. Boards now have the added responsibility of not only understanding the cybersecurity vulnerabilities of their company but also being able to anticipate the business impact that a breach could have. Boards must be able to react quickly while protecting the company’s prosperity – not an easy task when you are in crisis mode.
In this current age, there is a reasonable expectation that the board and senior level executives should be held accountable for a company’s cybersecurity measures. In the wake of a cyber breach, will board members be held responsible for not directing their executive team to strengthen their cybersecurity, if they have not already done so? For example, if PSA were to be breached and we had not taken any action to provide reasonable cybersecurity protection prior, would I be held responsible as CEO? I think the answer is yes. Would our board members be held responsible? I think at a minimum, the board members have a responsibility to the stockholder to question the senior leadership team regarding cybersecurity and hold them accountable.
Many times board seats are not filled with IT experts and cybersecurity professionals. Frankly, it’s still a relatively new topic in most boardrooms and the pace at which the conversation changes is blinding. The boardroom needs to become home to regular, consistent dialogue on this subject. Formulating a response plan in the wake of a breach to protect the company‘s reputation is one place to start. Cybersecurity isn’t just about protecting the information inside the walls of the company but about protecting the legacy of the company as well. It’s not enough anymore to understand that there is a problem. Boards and senior leaders need to be having conversations about real solutions and continue to make that conversation part of the fabric of the company. It’s our responsibility to our customers, our employees, and to the future of our company.