Generally when we discuss systemic risks to an organisation what come to our mind are events associated with natural disasters, black swan events, poor business execution and credit worries. Cyber security definitely has gained the importance in minds of Board but vast majority of enterprises hardly meet the CISO more than once a year or less.
So why are we saying that Cyber security should matter to Board:
- Cyber-incidents create enterprise-wide risk – data breaches, cyber attacks, and significant events that change risk affect the entire enterprise.
- Lawsuits and compliance – stemming from regulatory mandates and related lawsuits vary among geographic regions. Board and its CEO are well positioned to know where the enterprise long term strategic plan and bestto guide risk management decisions.
- Brand busting headlines – Who wants to see the name of their organisation flashed on first page therefore its important tha board is aware of the risks, how they are mitigated and how the organisation will respond if the worst should happen.
- Rapidly changing technology at enterprise level – Enterprises would continue to embrace new technologies in mobile, and wearable technologies and apps, hybrid cloud architectures, and the Internet of Things, and become even more global in the number of markets in which they compete.
- Security culture succeeds when top down – Only the board and the CEO can help the security team focus on what matters most, provide the resources to secure it, set tone for the culture of the entire enterprise.
- Critical infrastructure is mostly managed by private sector – Chemical, communication, financial IT, manufacturing, food and agriculture, and health care – are owned and operated by private sector. When it comes to important data sharing about threats and vulnerabilities, only the board and the CEO and the top executives can decide what information should and shouldn’t be shared, and how to collaborate with government and others in their sector to not only keep their organisation safe, but their industry and the nation well.
The above note is mostly reference to article written by George V Hulme in CIO