Security Experts:

Connect with us

Hi, what are you looking for?


Cyber Insurance

Cyber Security Oversight: Why it Belongs in the Board Room

Cybersecurity in the Board Room

Cybersecurity in the Board Room

Traditionally, cyber security has been considered the exclusive domain of IT and security operations departments, which were charged with the purchase and deployment of technology to defend against network intrusions. However, the long line of devastating data breaches at Target, JPMorgan Chase, Home Depot, and dozens of other established, respected brands is changing all that. Nowadays, the responsibility for the safety, security, and integrity of an organization’s network has shifted to executive management and boards of directors. For some though, the question remains why cyber security should be a board oversight issue.

Over the last few years, cyber threats have emerged as some of the most significant business risks facing organizations. For many, the Target breach was a watershed event. The subsequent law suits and settlements that totaled in the tens of millions of dollars revealed the scale of the financial impact associated with cyber-attacks. Since boards of directors have a fiduciary responsibility to preserve corporate financial value, these breaches were a rude wake up call. Meanwhile, the courts are holding businesses accountable for implementing appropriate security practices to protect consumers’ personal information. The Home Depot, which booked $161 million of its pre-tax expenses to cover a breach, including $19.5 million for the consumer settlement, is a good example.

In response, boards have started changing their view of cyber security as being a core function of IT management, and are now demanding that C-suites treat cyber threats as an enterprise risk that should be addressed from a strategic, company-wide, and economic perspective. They are now taking a very active interest in cyber security, and want to be kept informed of current and evolving risks, as well as the organization’s security preparedness and response plans. As a matter of fact, according to a recent study by accounting firm EisnerAmper (EA), directors of boards are most worried about cyber security risk (70 percent), reputational risk (66 percent), regulatory compliance risk (64 percent), and senior management succession planning (51 percent).

These results reflect the fact that boards now recognize that protecting against cyber-attacks and complying with evolving regulatory mandates is becoming more challenging and increasingly costly. As an example, the new European Union’s Data Protection Directive stipulates fines of up to 5% of a company’s global revenue, which creates a foundation for civil litigation. In cases where cyber security insurance is being considered as a regulatory fence against cyber risks, the boards’ risk committee is required to determine coverage for directors’ and officers’ liability, commercial general liability, prior acts, as well as property, and casualty insurance.

Operating in this new environment is not easy. A recent study by the National Association of Corporate Directors (NACD) revealed that over 90% of respondents believe their board’s understanding of cyber security risks still needs to improve. In this context, the U.S. Senate recently proposed a cyber security disclosure bill that would require public companies to describe what cyber security expertise their boards have, and, if they don’t have any, what steps the companies are taking to add this type of expertise to their boards.

While many experts believe the proposed bill is going too far – especially considering the existing shortfall of cyber security experts in the industry – it illustrates the need for oversight at the highest level. In fact, the NACD recommends that risk oversight becomes a function of the entire board. Since business strategy and risk nowadays go hand-in-hand, the full board—and not just one subcommittee—needs to be vetting the company’s cyber security practices and programs.

To elevate transparency and provide the necessary information to board members, organizations should consider implementing the following practices:

• Increasing the frequency of cyber security related presentations to the board;

• Allowing CSOs and CISOs to present their findings and strategies directly to the board, rather than through some other C-level representatives;

• Treating cyber security as a matter of enterprise-wide risk, not just as a function of IT management; and

• Implementing a model that establishes a quantitative estimate for cyber risks, exposures, and potential damages to better align business objectives and security goals.

Ultimately, a proper oversight program can help companies streamline board reporting, integrate multi-department activities required to mitigate operational cyber risks, and ensure that reasonable security protocols and procedures are in place. Furthermore, it can help all stakeholders gain a better understanding what assets might be at risk, how to estimate potential losses, and how to mitigate threats using new security practices, investments, and cyber security insurance.

While many boards have woken up to the fact that they need to pay more attention to cyber security as part of their fiduciary responsibility, security executives should not stand by, waiting for their board to ask questions about cyber risk management. Instead, CISOs should pro-actively monitor their company’s risk posture and provide quantitative views of the organization’s risk posture on a semi-annual basis — at the very least.

Attend the 2016 CISO Forum Panel – Reporting Security and Risk Management to the Board, Moderated by Gartner’s Ash Ahuja

Related ReadingGetting the CISO a Seat

Related ReadingData Breaches Can Lead to Customer Drop-Off

Related ReadingCISO Study Outlines Challenges, Successes of Security Executives

Related ReadingMany CEOs and CISOs Not Communicating on Security, Survey Finds

Related ReadingTarget CEO Exit Highlights Business Side of Security

Related ReadingAre We Ready to Take These Breaches More Seriously Now?

Related ReadingHow a CISO Can Be a Change Agent Within a Company

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...