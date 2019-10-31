It can be easy to overlook how rapidly and profoundly cyber risk has changed, and even though few companies look to the directors for input on cybersecurity, it is a board’s responsibility to establish IT security priorities.

Only a few years ago, basic security hardware and software — firewalls, passwords and malware protection — could shield an enterprise from most forms of attack. But at a time when boundaries and perimeters are blurry or non-existent, clinging to conventional thinking and traditional approaches ratchet up risk. For example, 85% of companies now share data with partners, but only 28% have standards for data sharing, according to an AT&T Business report.

While a Chief Information Security Officer (CISO), Chief Security Officer (CSO) or Chief Technology Officer (CTO) and IT teams are expected to protect an organization, greater resiliency begins with the board of directors. Not only does the board set a tone for the organization, but it can also orchestrate a coordinated and consistent approach. Still, only about 9% of organizations look to the board to establish IT security priorities, Ponemon Institute reported.

Getting on Board

What does an effective board cyber risk framework look like? Topping the list is a cybersecurity strategy and tactics that match an organization’s geography, industry, assets and people. But there is also a need for robust reporting and auditing mechanisms — and ongoing education about risks. These initiatives should extend from the c-suite to the front lines of the business.

Directors cannot excuse themselves from this responsibility, as the inability to ask the right questions increases the risk for an organization. Board members should possess some knowledge about cybersecurity, including a basic grasp of the risk landscape, technology and cyber defense methods.

A best practice strategy inevitably revolves around balancing three factors: people, process and technology. When the board is at the center of this strategic framework, establishing the right rules, procedures and workflows becomes a lot simpler. What is more, a top-down approach that supports transparency boosts the odds that the organization will prioritize its requirements and build a sustainable cybersecurity model.

A Best Practice Approach

If you’re looking to take board oversight to a best practice level, several elements are crucial. First, it is important to have a dedicated board portal or meeting space to interact. Second, the board should implement a governance framework that supports consistency but offers groups necessary flexibility and autonomy. There is also a need for specific technologies, such as mobile device management and strong authentication, to protect assets and data.

But perhaps the most important factor is communication among the board and top leaders, such as the CISO, CSO, and CTO. In the end, the board has the responsibility to push governance models into the organization — but only after truly understanding the needs of different groups. A best practice approach maximizes protection, while diminishing risk.

