Strengthen security, boost company performance with effective board oversight
In this monthly column, Diligent leaders share their thoughts on some of the latest insights from Diligent Institute and what they mean for boards, the C-suite and senior leaders. Don't miss a single column — subscribe here.
The digital landscape is a double-edged sword. On one hand, it empowers organizations to innovate, connect and thrive in an interconnected world. On the other hand, it exposes them to unprecedented risks — particularly in the realm of cybersecurity. As the frequency and severity of cyber incidents escalate, boards find themselves at the forefront of this battle. The stakes are high: Projected financial losses from data breaches are estimated to reach a staggering $10.5 trillion by 2025. Regulatory bodies like the SEC are turning up the heat, emphasizing the critical role boards play in safeguarding their organizations' interests.
In this context, effective cyber risk governance becomes paramount. But how do boards approach this challenge? Are there specific security strategies that correlate with better performance? Let's delve into the findings of a recent study conducted by Diligent and Bitsight.“Cybersecurity, audit and the board: How does board oversight impact cybersecurity performance?” — with first-of-its-kind research — sheds light on the nuances of cyber risk governance and how it can lead to greater value creation.
Cyber risk management and its impact on shareholder value take center stage
Boards are no strangers to risk discussions. However, the spotlight has shifted dramatically toward cyber risk. It's no longer a niche topic relegated to IT committees; it's a boardroom priority. Why? Because cyberthreats can cripple organizations, tarnish reputations and impact shareholder value. As stewards of their companies, boards must navigate this treacherous terrain.
The CISO's dilemma: Selling absence of events
Chief information security officers (CISOs) face a daunting task: Convincing the board to invest in cybersecurity measures based on the absence of catastrophic events. Unlike tangible assets, the value of prevention is harder to quantify. Yet, this investment directly affects the probability of costly breaches; as that probability decreases, the potential for value creation increases. It's a delicate balance — creating value by preventing something that hasn't happened yet — but it’s a balance that CISOs and boards must be able to effectively communicate about.
The correlation between risk mitigation and company performance
Diligent and Bitsight's collaborative report examines the correlation between security performance and total shareholder return (TSR). The results are eye-opening. The study found that companies with more advanced security programs, as demonstrated by higher cybersecurity scores, consistently outperform those with weaker defenses. The bottom line? TSR, the primary metric for management teams and boards, aligns with security prowess.
Standing up the right committees for better oversight — and better performance
The SEC's push for greater transparency around risk management processes underscores a fundamental management principle: "You cannot manage what you do not measure." As detailed in the Diligent and Bitsight report, boards that establish specialized audit or risk management committees demonstrate a material difference not only in security outcomes but also in TSR.
And it's not just about board composition or ticking a box; having a subject matter expert on the board isn’t enough. What’s needed is consistent, diligent practice, not to mention surfacing the right amount of contextualized data to the audit or risk management committee so it can provide effective oversight.
Cyber risk governance as an imperative
Diligent and Bitsight's data-driven insights emphasize the importance of strong cyber risk governance. It's no longer merely an investment issue; it's a governance imperative. Boards must proactively steer their organizations toward resilience, preserving and growing shareholder value in an ever-evolving digital landscape.
As we navigate this cyber frontier, let us remember that our decisions today shape the security landscape of tomorrow. The boardroom is where strategy meets reality, and cyber risk governance is our compass.
