My previous posts have talked about how to increase transparency and board literacy regarding cybersecurity to address the knowledge and visibility gaps between the board and IT security teams exposed by the Fidelis-commissioned Ponemon study. I will close out this series of posts focusing on the trust gap.
Organizations face a world of continuous compromise. Threat actors, some sponsored by nation states, are highly sophisticated, well-funded and patient. While prevention serves as a meaningful and necessary deterrent, no preventive solution is 100 percent effective. In short, if they target you, they will at some point penetrate your defenses. Boards must recognize that fact and be ready to focus on mitigating and remediating the damage. However, to do that, there must be a shared understanding and mindset with regard to cybersecurity.
Create Shared Understanding and Experience
Mutual trust between board members, company management and IT security professionals is vital for effective governance and breach response. It sets the foundation for open communication between these groups and allows an organization to move forward with agility and responsiveness in finding and remediating potential security breaches. Ways to generate trust include:
- Establish an understanding that cybersecurity is an enterprise-wide risk management issue, not just an IT issue.
- Establish a risk-aware culture and shared understanding of what drives the company’s success, including knowledge of company’s strategic objectives and the risk associated with those objectives.
- Emphasize that cyber-preparedness is a team sport and include the risk committee and board members as participants in incident response exercises.
- Ensure that the organization’s incident response plan documents the role of the board and expected information flow between the IT professionals and the board during a breach.