Getting the Board on Board with Cybersecurity

As threat actors advance their tactics, the ramifications of falling victim to a breach are growing more severe. According to the Fortinet 2024 Cybersecurity Skills Gap Report, nearly 90% of enterprises experienced a cyber incident last year, with 63% saying it took longer than a month to recover from an attack. Leaders within organizations are increasingly being held accountable when a breach does occur, with 51% of respondents indicating that their directors or executives have faced fines, jail time, loss of position, or loss of employment following a cyberattack.

While there's typically no single attributable cause of a breach, leaders cited a variety of factors that they believe contributed to successful cyberattacks: an IT and security staff that lacks the necessary skills and training (58%), a lack of organizational or employee security awareness (56%), and a lack of cybersecurity products (54%).

As breaches continue to be a common occurrence among organizations worldwide, it's clear that leaders must take an "all-hands-on-deck" approach to cybersecurity. Everyone, including the organization's board of directors, must be actively involved in managing the enterprise's risk.

Boards of Directors are Increasingly Concerned About Cybersecurity

The increasing frequency of attacks-combined with the potential of severe personal consequences for board members and directors-is resulting in a push from the top levels of organizations to strengthen cyber defenses. As such, boards of directors are recognizing that cybersecurity must be a company-wide responsibility and are taking a more active role in organizational risk management and related initiatives.

Almost three-quarters of executives say their boards were more focused on cybersecurity in 2023 than the year before. From thoroughly understanding cyber risks to allocating appropriate resources to protect the enterprise, there are numerous actions board members can personally take to augment the organization's cybersecurity efforts.

Executives say their board members are actively involved in discussing and shaping organization-wide efforts to mitigate risks as well. This includes involvement in activities such as implementing mandatory training or certifications for the enterprise's IT and security professionals (64%), offering security awareness training for all staff (61%), and procuring new or more robust security solutions (59%). Nearly 60% of leaders also say their board members have talked about hiring more IT and security professionals or increased headcount in those departments.

Considerations for Engaging with the Board

Wolfgang Bitomsky, chief information officer (CIO) at FCC Environment CEE, recently noted during an episode of the Fortinet Brass Tacks podcast that boards of directors primarily care about two items: managing risk and identifying opportunities for the company. Therefore, security leaders must align their own priorities-such as the need for new technology investments or potential security risks to the company that must be addressed-with those two topics to make them relevant to the board.

Consider a foundation of cybersecurity awareness training

Bitomsky recommends ensuring that everyone, including board members, has basic cybersecurity knowledge. Many organizations make the mistake of treating cybersecurity as solely an IT issue. However, every individual within an enterprise is responsible for keeping the company's assets safe, and employees with the right knowledge can serve as a strong first line of defense against attacks. At a minimum, board members should understand the cybersecurity requirements and regulations the organization must adhere to, and ultimately should participate in training to better understand how cybersecurity impacts all areas of an enterprise.

Adjust the communication strategy

When engaging with board members, consider the differing interests between internal teams and the board and adjust the communication strategy accordingly. It's crucial to present cybersecurity priorities and resource requirements in a way that isn't overly technical so that the group can easily understand the risks and make sound decisions based on the information shared.

Position cybersecurity as a business priority

Finally, Bitomsky advised security and IT leaders to position cybersecurity as a business priority, particularly when teams are looking to secure cybersecurity funding. He recommends transforming the overarching message into a risk-management statement. Demonstrate that cybersecurity is not just a cost, making it clear that investing in cybersecurity technology and skilled IT and security hires can help organizations avoid the financial and reputational damages associated with cyberattacks.

Support From the Board is Vital to Managing Risk

According to the Fortinet 2024 Security Awareness and Training Global Research Report, 97% of decision-makers say more employee training and awareness will help reduce cyberattacks. The study also found that when leaders-including boards of directors-strongly back security awareness and training, organizations are more likely to see some or significant improvement after implementation.

Regardless of industry, company size, or geographic location, garnering support from an organization's board of directors for cybersecurity initiatives is critical to effectively managing risk. From personally understanding cybersecurity issues to educating themselves on cybersecurity so that they can make more informed decisions, every board member plays a crucial role in the cybersecurity of the enterprise.

Public link

Please use the above public link if you want to share this noodl on another website.