BOARDROOM BEST PRACTICES

Cybersecurity – The Disconnect Between the Chief Information Security Officer and the Board

Chief Information Security Officers (CISOs) need to better communicate strategies and initiatives to board members. UK companies are under threat from cyberattacks, yet only about five per cent have a Chief Information Security Officer, either on the board or working with the board, a recent Deloitte poll shows. And only half have a cybersecurity plan in place. Some UK boards have so little expertise in cyber matters, the Chief Information Security Officer faces an uphill challenge in getting directors to understand what threats are out there and why the company must provide the budget to deal with them.

Cybersecurity-The-Disconnect-Between-the-Chief-Information-Security-Officer-and-the-Board-Diligents-Governance-Cloud-Board-Management-Software-Board-Portal

UK Companies Need Chief Information Security Officers 

UK companies are under threat from cyberattacks, yet only about five per cent have a Chief Information Security Officer (CISO), either on the board or working with the board, a recent Deloitte poll shows. And only half have a cybersecurity plan in place.

The need for UK companies to, first of all, engage a Chief Information Security Officer, and then for the board to work closely with one, is becoming ever-greater.

The Chief Information Security Officer job has not changed: The role is to keep the organisation secure from hacking, cyberattacks and other cyber threats.

What has changed is the complexity and composition of the areas requiring protection. “With public cloud infrastructure managed by third parties, a higher percentage of SaaS applications deployed, Wi-Fi, mobile devices, and connectivity to an entire eco-system, security is significantly more challenging today than ever before,” warns security firm Symantec.

Meanwhile, in the UK, at least half of every type of organisation, large or small, public or private, for-profit or charity, has suffered a cyberattack at least once.

Want to learn more about how board management software can allow your board to better respond to a crisis?

Download the Forrester Report and see how your board could improve their communication practices.

Boards need to communicate with the Chief Information Security Officer

Some UK boards have so little expertise in cyber matters, the Chief Information Security Officer faces an uphill challenge in getting directors to understand what threats are out there and why the company must provide the budget to deal with them.

“For years, there’s been a disconnect between the way that boards assess cyber threats, costs, areas of responsibilities, and the experience of the IT specialists tasked with managing security. So why is it so hard for security executives to convey that sense of urgency and enormity to their board?” asks Symantec.

Boards understand risk management, so it helps to present the dangers in terms of risks — perhaps with a sort of heat map.

Start with four questions:

  • What are the risks?
  • Where are we secure?
  • Where are our weaknesses?
  • Where do we need to invest?”

Having explained the risks, the Chief Information Security Officer should then discuss the consequences in business terms and explain what happens when a company experiences a data breach, how there is reputational damage, how customers seek new suppliers, how the fear that your company can’t be trusted leads to a business decline.

They should also provide clarity on the subject of the cost of a data breach. The IBM-Ponemon study showed that the average cost of a data breach is $3.86 million, but the cost of “mega breaches,” where 1 million to 50 million records are lost, can run from $40 million to $350 million. The Chief Information Security Officer should run through the factors described in the study, so that boards can grasp the magnitude of the threat.

Chief Information Security Officer – What needs to be done?

With the risk side of cybersecurity explained, Chief Information Security Officer should explain what needs to be done. This includes:

Defences. “How the company has effective defences. The experts follow changes in the threat landscape. We have visibility into our digital assets and networks. We’ve done all the due diligence we can to protect ourselves from being the next victim of a cyberattack.”

“And very importantly, we are regularly testing and validating our defences with ‘live fire.’ We hire expert hackers to try to hack us and immediately fix what turns out to be hackable,” says Akamai, in a recent report.

Monitoring our customers. “Our experts are constantly monitoring our customers’ access to our business. Having tracked their normal online behaviours, our experts watch carefully for any abnormal access. We notify them about any irregularity.”

Response. “Our company has a response plan in place. Our team is trained. They know how to respond when an attack or breach does occur. It’s clear who must be informed, including executive management and corporate legal and communications staff, as well as any customers affected or other providers of personal data.”

Diligent board management software makes sure you are ready for all threats

“Carefully protected internal communication services centred on security and privacy are the safest way to conduct internal communication,” the study noted. Diligent board management software, as the long-standing market leader for high-level corporate communications, is uniquely positioned to offer its clients the highest level of assurance around security measures. Diligent’s unique position in the marketplace allows for investment in best-in-class security practices at a level that is greater than most players’ annual revenue.

With ongoing investment and dedication to security technology, resources and infrastructure that no other provider can match, Diligent’s clients gain a strategic partner that truly puts security first.

All members of Diligent’s Security Team are active participants in the information security community in order to maintain up-to-date knowledge and expertise. This means that they are aware of nearly anything that hackers have available, ready to thwart all the most sophisticated attack techniques.

Diligent has established a security program based on industry standard frameworks that is dedicated to ensuring customers have the highest confidence in our custodianship of their data. Our Information Security Management System (ISMS) is ISO 27001:2013 certified and our cybersecurity framework is based on NIST standards.

Diligent Boards™ data is housed in a world-class hosting infrastructure. Co-location data-hosting facilities are operated at Tier 3 equivalent or higher standards. Diligent owns and operates its own equipment. Data stored by customers in the Diligent Boards solution is not hosted by any third-party cloud providers. Instead, it is stored on Diligent’s own secure servers and protected by strong physical security. Access to these data centres is limited to authorised personnel only and verified by two-factor authentication.

Data is encrypted at rest, in transit and on the users’ devices. The Diligent Boards service supports the current recommended secure cipher suites to encrypt customer data in transit and at rest. Customer data is encrypted at rest on Diligent’s storage systems and on the customer’s mobile devices that run the Boards apps. Customer data encryption keys are stored in a tamper-proof FIPS 140-2 L3 certified Hardware Security Module.

Diligent has a documented Security Incident Response Program in place to handle a security incident. Incident response procedures are tested and updated at least annually. All incidents are managed by Diligent’s Security Incident Response Team. Diligent classifies the event and determines the incident response process. In the event of a security breach, Diligent will promptly notify customers of any unauthorised access to customer data.

 WANT TO LEARN MORE?

Learn how your board can improve their governance and rely on Diligent’s dedication to customer performance. Request a demo today

Featured Blog