With so many Boards focused on operations, revenue, strategy, and execution, they completely are forgetting the simple fact that a single cyberattack can bring all that to a screeching halt.
Maybe members of an organization’s Board of Directors don’t care about cybersecurity because it feels very much in the technical weeds. Perhaps it’s because they don’t understand what constitutes a cyberattack. Or maybe it’s because they fail to understand the implications and repercussions of an attack on the business they seek to help grow.
I read an article I wanted to share and summarize from security vendor SentinelOne entitled On the Board of Directors? Beware of These Six Common Cyber Security Myths. In it they highlight some pretty universally-shared misconceptions about cybersecurity that also act as reasons why the Board should be asking the question “how is our cybersecurity stance” at the very same table where they talk about “how was last quarter’s earnings?”
The six misconceptions SentinelOne outlines that Boards often have are:
- Cybersecurity is only necessary for certain types of businesses – if you’ve been reading our blog, you know cybercriminal groups target every organizations of every geography, industry, and size.
- You only need software-based security solutions – We have solutions continually updated with AI-based threat intelligence and attacks are still being successful. There are completely malwareless attacks that rely purely on social engineering that security solutions won’t catch. For the foreseeable future, you should expect there will always be some small percentage of attacks that will get through.
- Software vulnerabilities are too much in the weeds for the Board – While I’d agree, the Board should be having a discussion around the organization’s state of protection against vulnerabilities (think updates, penetration testing, etc.). At very least, the board should be discussing the organization’s state of cyber-readiness – which includes addressing vulnerabilities.
- Supply Chain attacks aren’t a concern – Attacks on your organization’s supply chain have increased by 51%. It’s not only a concern; it’s now an established initial attack vector, which means the Board needs to be discussing the process by which vendors are selected – something that should include their cybersecurity stance.
- The Board can’t have an impact on cyber threats – We’ve continually seen budget and focus as named challenges for security pros doing the work. A focus by Boards to prioritize cybersecurity will have a significant impact on the organization’s ability to stop threats.
- Employees will always be a cyber risk – I’ve covered before that the human element comes into play in 82% of data breaches. This means they increase the threat surface and the organization’s risk of a successful cyberattack. Enrolling every employee organization-wide (including those on the Board!) in Security Awareness Training is a surefire strategy to reduce the likelihood that an employee can play a role in stopping attacks instead of aiding them.
The Board’s job is to strategically manage risk. Usually, the focus is on operational risk. But the modern Board of Directors should be focused on all types of risk – which now includes cyber threats. The misconceptions above are likely just scratching the surface, but they do make the case that Boards today need to expand the discussion to include cybersecurity.