Five Strategies For Boards To Enhance Governance And Resilience In The Face Of Evolving Cyber Risks
These are challenging times and uncertain times, especially from a cybersecurity perspective. Critical infrastructure such as hospitals, airports, water treatment plants and the power grid are being bombarded with cyberattacks.
Far too many organizations are taking this too lightly and lack real-world preparedness. For instance, hackers behind the recent Synnovis attack in the U.K. demanded a $50 million ransom—yet many in the healthcare sector cross their fingers, hoping malicious actors don’t cross their path. Some organizations have outsourced their cybersecurity functions to a third party and assume they have abdicated their responsibility. But companies must never abdicate cybersecurity.
Cybersecurity is no longer an IT issue. It’s a business issue, and it’s a boardroom issue. Senior execs and board members have a fiduciary duty to their customers, investors and shareholders to protect the organization’s critical assets and infrastructure from any kind of business disruption or destruction. So how can board members better manage and govern cybersecurity? Below are five strategies I recommend.
1. Accept and assess cyber risk as part of the broader risk management strategy.
Many organizations accept the implementation of technology as a means to drive their business forward without debating or discussing the “what happens when it goes wrong” question. Ransomware attacks on hospitals can result in delayed treatment, delayed surgeries and can even result in loss of life. How many hospitals consider this when onboarding new systems and technology?
We’ve already seen the power unleashed by the CrowdStrike incident. A ransomware attack can cause mass-scale disruption, encrypted systems, extortion demands, panic and chaos. From a risk, business and leadership standpoint, we need to account for multiple scenarios, including indirect threats posed by supply-chain and third-party partners.
2. Consider cybersecurity an investment, not an expense.
Cybersecurity is usually a trade-off. Businesses are constantly challenged with the question as to how much capital will be invested on cybersecurity versus spending on things that help drive the ability to innovate, scale and support. All too often, security is an easy target because executives may fail to see the direct link between the cybersecurity budget and its ROI.