My last post described the gap in knowledge and trust between corporate Board members and IT security professionals revealed by the survey that Fidelis Cybersecurity completed with Ponemon Institute. Some of the data showed a serious lack of cyber literacy among board members. This is despite the fact that boards play an important role in guiding companies regarding real risks, such as those related to cyber breaches.
When you think about it, cyber literacy can be equated to financial literacy. Every board member may not be an auditor, but they need to be able to read a financial statement and to understand the financial language of business. The same should hold true for this important area of governance: cybersecurity. Board members don’t need to be cyber experts, but they should have a thorough knowledge of the risks their organizations face so they can provide the support their IT security professionals need to protect against those risks. There are a few ways to solve this problem.
Evolve Board Composition
Since the composition of an organization’s board is at the heart of its sound governance, the quickest way to make sure the board can provide effective cybersecurity oversight is to change the composition of the board. A couple options to consider include:
- Replacing a current board member with one who has cybersecurity expertise or adding a new board member with this knowledge to the board’s risk committee, where cybersecurity oversight functions normally are focused.
- Adding a non-member cyber-advisor who can serve as an external trusted advisor to the board. This approach has proven successful when nominating/governance committees have been unable to find people who meet their board profile requirements and have cyber expertise.
- Engaging external trusted advisors from consulting companies or law firms, or both. A variation of this approach is to ensure that the current outside advisor function includes cyber expertise.