3 Ways for Boardrooms To Increase Their Security IQ and Address Cyber Risk

Accurately addressing and fully understanding cyber risk is a persistent challenge for companies and a potential liability for boards.  

According to the annual PwC Corporate Directors Survey, 49% of directors see cybersecurity as a significant oversight and challenge. Moreover, 85% of CISOs believe the board should offer clear guidance on organization’s risk tolerance for them to act on, according to the IANS State of the CISO 2024 Benchmark Report. Given the expansive threat landscape, (e.g., Distributed Denial of Service [DDoS] attacks and ransomware, among others), the executives responsible for cybersecurity protocols now face increasingly complex decisions when it comes to selecting enterprise security solutions. 

Typically, this falls to the IT executive, who has to communicate and, worst case, defend these decisions to their teams, the board, or regulators. As senior business leaders become more engaged in cybersecurity measures, the need for a more practical and informed cybersecurity risk management capability is evident. 

Cyber incidents can disrupt business operations, impair application and service availability, negatively impact revenue and critical services, and lead to significant reputational damage. For example, look no further than the risks posed by global hacktivist groups like Anonymous Sudan and NoName057(16). These groups that didn’t exist a few years ago now persistently wage cyberwarfare and create chaos using DDoS attack methods to disrupt governmental entities in the wake of national elections, major sporting events, and other global activities.  

Related:Contractual Lessons Learned From the CrowdStrike Outage

While board members and directors don’t need to be cybersecurity experts, they do need to understand that addressing cyber risk is not only the responsibility of their IT teams, but rather, is the responsibility of the entire organization. With that in mind, let’s explore how boards can uplevel their security IQ and collaborate with security teams on strategies to establish appropriate enterprise risk management to close potential gaps:  

1. Understanding qualitative and quantitative cyber risk 

We know that time is critical in any security incident, whether it is a DDoS attack, as I mentioned above, or another incident overwhelming the network. Once an incident occurs, IT teams conduct a brief qualitative and quantitative risk assessment. Qualitative risk assessments are beneficial because they can be done quickly and are relatively easy to communicate. Unfortunately, they also have two significant disadvantages. Being subjective, qualitative assessments are prone to natural biases that can make these assessments less accurate and less reliable. They also do not provide a concrete measure of possible impact to weigh and base decisions (e.g., a high impact event is worse than medium, but by how much? What is the scale of low impact vs. high?). Enter quantitative risk assessment.  

Related:How to Get IT and Security Teams to Work Together Effectively

As the name implies, quantitative risk assessment is based on metrics such as single loss expectancy (SLE), annual rate of occurrence (ARO), and annual loss expectancy (ALE), among others. These metrics culminate in a financial value for risk and provide business executives -- beyond IT and security professionals -- with results that can categorize risks and rank them by probability and impact. In summary, both measurement methods can work together in a broader cyber risk strategy to simplify how boards communicate risk and interpret the actionable data. With the SEC regulation, enterprises need to report cybersecurity incidents within four days once materiality is determined. 

2. Recognizing the role of compliance standards in risk management 

Just as it is essential to have a security plan in place for data breaches, it is also necessary for board members to stay informed of the shifting landscape of legal, regulatory, and internal standards. For example, how will the Supreme Court’s ruling on the Chevron doctrine impact future compliance regulations? In Europe, how are GDPR standards balanced with the innovation of AI?  

Related:10 Ways Employees Are Sabotaging Your Cybersecurity Stance

While the immediate answers may not be apparent, the board must disclose information to stakeholders. Additionally, system control frameworks are valuable components of a compliant security posture, such as the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST SP 800-53), the zero-trust security framework and the Center for Internet Security (CIS)’s Critical Security Controls for Effective Cyber Defense, promoted by the SANS Institute. In addition, it is important to understand the control framework; NIST-CFS or the International Organization for Standardization (ISO) 27001. Lastly, if the organization sells to the federal government, NIST will be important, and if it is a global company, the ISO program framework is recognized globally. These frameworks have substantial overlap. If you are just getting started, start with the Essential Eight to understand your company’s security posture.   

The fact is that breaches will happen. However, a basic understanding of compliance protocols provides a foundation for boards to understand the critical regulations governing cyber policy and how IT teams use them to ultimately create a more robust risk management strategy.   

3. Implement cybersecurity tools as part of an overall strategy 

It is also crucial for the entire team -- board members, security professionals, and security personnel -- to understand how and why the evolving threat landscape impacts business continuity. While it is imperative to select new board members with practical security experience, cybersecurity decisions cannot be an afterthought as they are often in an organization. They must be fundamental to organizations’ overall security posture and decision-making process.  

Tools such as advanced DDoS defense technologies, and deep packet inspection (DPI)-based network detection and response (NDR) technology, employee training modules for phishing/malware, along with the basic anti-virus, MFA, firewall and spam tools, should inform the comprehensive cybersecurity strategy of an enterprise. This complete approach will set up enterprises for success against evolving network threats.  

Investment in Security = Good Corporate Stewardship 

Cybersecurity may be an intimidating area for a board to oversee. It’s a challenge to navigate complex new attack vectors and understand bad actors' methodology. Unfortunately, this responsibility will only grow more complicated over time as attackers continue to find new ways to infiltrate networks and engineer malicious exploits. Because of that ongoing threat, to meet their obligation as stewards of the company’s future, the board needs to be conversant in the latest challenges faced by CISOs and their security teams. That begins by learning how cyber risk is managed, and by taking an active interest in the tools and strategies needed to protect their organization when attacks occur.