The board plays a crucial role in ensuring that the company is adequately managing its cybersecurity risk. The first task is that the board must appropriately prioritise cybersecurity and ensure cybersecurity policies and procedures are in place and appropriately funded. There is no such thing as cheap data.
Companies have various approaches to board evaluation in terms of methodology and objectives. In setting up the framework. However, in connection with the missing IT, Data and Cybersecurity element each board evaluation must contain;
The assets that can be compromised in the event of an IT or Cyberthreat or breach?
The traditional evaluations based on best practice laid out in the global corporate governance codes do not address the new risks and threats when listed companies are conducting board performance evaluations. Board evaluation must develop as a vital process for improving board performance and dynamics, whatever the size, status or type of organisation by focusing on the enterprise-wide IT risk management framework to address the issues on inadequate staffing and resources to ensure awareness and oversee multiple organisational risks including IT- and cybersecurity
Most evaluations typically do not include a vital component, and that is the increasing need to understand that IT security, Data Protection, Data Privacy and cybercrime is a risk management issue that affects the entire organisation and not only does it require the board oversight but it is a board responsibility. Although the Board of Directors are aware that they need to stay informed about cybersecurity, keeping up with it in the complex, rapidly evolving the world of IT. Data Privacy and IT Security is often a challenge. Almost all Governance survey of the board or IT or audit committee members found that only approx. 20% percent of directors approve that their company has cybersecurity risk well under control.
Therefore ensure that the following 10 IT- and Cybersecurity components have a place in the next board evaluation;
Allocate resources based on the Data and IT risk appetite and strategic assets
During the evaluation potential vulnerabilities that the company has to its IT network environment so that the BoD is aware who can connect and infiltrate the systems, which third parties have access and who approves it and how is the mobile and social media handled as a policy from the board.
Therefore, the board must start the IT, Data and Cybersecurity journey so that it has the technical capabilities and does not panic or is uncertain when a malicious cyber event in real-time is identified. It must be aware how the penetration testing and response plan in the event of a breach/attack is working and how often is the response plan tested to avoid black screens as many companies have experienced.
With the above, IT and Data focus the board will meet the regulatory requirements and may even be part of the motivation behind the IT security exercises as the primary driver as part of the tone-from-the -top and become a high-performing board, well-suited to anticipate, meet and overcome the challenges ahead.
At the GRC Foundation Certification Seminars, most of the above issues will be discussed for a Board of Directors and Senior Management Accountability rand Responsibility concerns.