The growing frequency and visibility of cyber-attacks have intensified the financial, operational and reputational risks for organisations. Yet as cyber threats become more complex and prominent, questions remain about whether boards are effectively equipped to govern them.
Insights from Harvard Business Review (HBR) highlight a concerning trend – despite increased awareness, board-level oversight may not be keeping pace with the evolving threat landscape. This is particularly evident as financial losses from cyber incidents continue to rise despite increased awareness.
HBR noted three elements of board make-up and strategy which may improve results.
Cybersecurity Expertise is Lacking
There’s a lack of cybersecurity expertise at executive level. In a review of 239 board members serving on cybersecurity committees across 62 firms, only one director had formal cybersecurity education. Furthermore, just five had completed some cybersecurity training or certifications, and only 16 had contributed relevant practical cybersecurity experience – creating an overall lack of skills and experience.
When asked about how this would be overcome, the emphasis was on adding qualified cybersecurity professionals to boards in order to combat the skills gap. Alternatively, upskilling existing board members could be explored.
However, one experienced cyber board member commented that the pace of technology change makes it a challenge for other board members to upskill.
This research indicates that identifying and appointing cybersecurity leadership into board-level positions could be the most effective method of managing this gap.
Response to a cyber crisis, or response to simulated cyber incidents, allows boards to assess cyber professionals’ abilities in a board level or senior leadership position – considering decision making under pressure, communication and approach to business defence and continuity.
Identifying, evaluating and recruiting strong cybersecurity leaders at board level will be essential, the article suggests.
Considering AI in Cyber Strategy
While cybersecurity expertise presents a foundational challenge, it is further aggravated by the rapid emergence of new technologies – particularly AI.
Board-level discussions must increasingly integrate cybersecurity oversight with broader strategic conversations – especially when it comes to AI. Too often, AI is being treated as a driver of efficiency and innovation, without sufficient consideration of the associated security risks. This is a dangerous precedent.
Malicious actors are using AI to generate malware, ramp up the scale and speed of cyberattacks, and produce phishing content.
Balancing both the benefits and risks of AI in boardroom discussions is essential, and governance and risk committees should be keeping a close eye on the evolving threats of AI.
Security Needs to be Differentiated from Compliance
Finally, there is a misconception that cybersecurity and compliance are one and the same. However, an overemphasis on compliance can create a false sense of security.
The time sensitive nature of cybersecurity discussions can result in a tendency to prioritise evidencing compliance. However the focus should be on making sure security measures are effectively implemented in practise.
With cybersecurity risks evolving at such a rapid rate, compliance frameworks and regulatory requirements may struggle to keep pace.
While regulation once provided a useful foundation for cybersecurity practises, organisations must now also prioritise continuous improvement and best practise.
The article indicates the way to drive change at board level is through treating cybersecurity as a competitive, operational resilience issue. Financial, operational and reputational impacts are likely to drive stronger responses than regulation, so ensuring these are at the forefront of board discussions will drive positive change.
Recommended reading
Empowered Leadership
To address these issues, boards must take a more proactive and strategic approach to cybersecurity governance.
This includes strengthening cyber expertise at board level, embedding security operations into broader technology and strategy discussions and moving beyond a compliance-first mindset.
Prioritising recruitment and investment in cyber leaders will be critical.
With boards increasingly understanding the importance of expertise in cybersecurity, there is an opportunity to drive investment. Quality of leadership in cybersecurity will outweigh having a higher number of less-experienced cyber leaders at executive level.
Empowered cyber leaders will be able to capitalise on opportunities and strengthen cyber posture, all contributing to the protection of finances, operations and reputation for organisations in the face of a rapidly evolving cyber landscape.
Related
