Crisis as opportunity: Strategies for better board effectiveness on cybersecurity
For years, board meetings centred on the P&L, but today, the focus has shifted to something more pressing: risk assessment. The landscape for board members navigating risk oversight is as complex as it is important. Global economic instability, artificial intelligence (AI), sustainability and environmental, social and governance (ESG) all require strategic foresight and agile responses to mitigate emerging threats.
Overwhelmingly, cybersecurity is one of the crises of our age. That’s not just what we think; it’s what your board believes. When we poll board members about what they’re most concerned about, cyber risk is always in the top three, usually placing number one or two. With billions of dollars being paid in ransomware payments every year, this threat isn’t going away.
So how do we deal with these threats on the board level? We asked experts at our recent webinar, Harnessing Technology for Effective Crisis Management, to share their best practices for how boards and decision-makers can navigate crises for better outcomes.
Changing your perspective on risk vs. opportunity in a crisis
As governance, risk and compliance (GRC) professionals, you know that being ready for cybersecurity threats is important. But how you think about that preparation work is the most important part of the problem. Effectively managing a crisis can lead to growth and transformation for your company. Viewing the incident as a potential opportunity means proper action can be taken. Rather than focusing on mistakes made by your team, let's find solutions to address them.
Building a culture of preparedness
Of course, you need to be prepared, but how do you act on this preparation? It starts by creating a culture where people talk and take responsibility within your company, one where identifying escalating threats isn’t just the norm — it’s encouraged. That means having open lines of communication, a single source of truth (more on this later) and clear delineations of your team’s roles during a crisis.
One way to help identify problem areas in your response is to do a “tabletop exercise” of any potential crisis scenario. When running these sessions, it’s important to practice them without informing your team beforehand. This will allow for a genuine assessment of any flaws or communication issues that might be affecting your system.
Timing is important; how long does your response actually take? These next steps might seem easy, but when you start to put them up against a timer, you’ll really see the value in having these practiced and ready.
Navigating regulations during crisis points
Of course, you’re aware of regulations around processing data for your company, but that’s not always considered when a crisis hits. It needs to be. Regulations don’t stop just because you’ve had a data breach. In fact, once the dust has settled, the scrutiny will be even harsher.
Putting in place extremely structured ways to handle and transmit information is crucial. Whatever you say (even internally) must be appropriate and adhere to regulations. After all, any communications you have internally during a crisis may well be transmitted to the rest of the world. While obviously this isn’t ideal, leaks do occur; it’s just human nature.
Crisis information management: The balance between insight and data overload
Historically, boards have mainly concerned themselves with the P&L, but today it’s risk management. How information is presented to the board matters. The role they play when they receive that information matters. Let’s talk about both of those ideas individually before we look at how they work in tandem.
While we often think not having enough information is a problem during a crisis, the alternative is often the case: too much information is just as bad. How much information you should pass on to the board is difficult to know. It's why increasingly, companies are turning to ERP tools to pull together all the information into one source of truth.
Data overload is real: you don’t want to overwhelm key decision-makers with a million data points. Create standard questions for information that the board needs during a crisis, utilise AI summarization and look at trends. Your board doesn’t want to sift through reams of information. They just need the information they need, not more, not less.
Assigning and adapting board roles during a crisis
Of equal importance is clearly defining the roles board members have and what their actions need to be during a crisis. If they’re a critical decision-maker, it’s important that they know this ahead of time and are prepared to act. That’s not a static decision — board members' roles can change over the lifecycle of the board.
We often say that when you think a crisis is over, you’re probably only at about 40%. They can have a much longer tail than you think, which is why your team’s mental health is so important. Check in with your group. Are these people still good for this job? Do you need to switch things up and give someone a respite?
This is true of outward-facing communication, as well. Knowing when your CTO speaks or when it goes to the board first is extremely important for managing crisis. Knowing who is making the call and when it’s going to happen is critical for communication, both for social and mainstream media. Being proactive on social media is especially important as misinformation must be confronted with facts before it becomes embedded as the narrative.
Expert advice to enhance your cyber risk strategy
For more insights into how to navigate cyber threats at the board level, listen to our recent webinar. Our experts share their best practices for risk oversight, crisis management, and the critical role of the human element in defending against cyber threats. Don’t miss the chance to apply these insights to your own board’s risk strategy.
Click here to catch the full webinar recording and equip your team for the evolving challenges ahead.
Keep exploring
The key to crisis resiliency
Dave Stainback, PwC's Global Centre for Crisis & Resilience Leader, talks through the ways companies can prepare for and respond to crises.
How to track compliance & better assess risk
To track compliance and better assess risk legal operations teams & in-house legal departments need best-in-class legal technology solutions.
The New Cybersecurity Imperative: Cyber Governance
As investors and other stakeholders increasingly scrutinize board literacy in cybersecurity, cyber governance is becoming crucial.
Technology and Risk Management: A Checklist for Successfully Managing IT Risk & Third-Party Risk
Fortify your IT risk management and third-party risk management programs with this roadmap to effective risk management technology.