Board-Level Cybersecurity Discussions Must Be Proactive, Have Substance, and Inspire Real Change

By Gordon Tucker, Managing Director
Technology, Media and Communications Industry Leader




Cybersecurity is a hot topic in most boardrooms today. Not a shocking revelation, certainly. But keep in mind that, in many organizations, it has taken a long time for this issue to even become an agenda item for the board. Among them are technology, media and communication companies, which should be helping to set the standard for cybersecurity best practices. Many of these companies are doing that, of course, but others still have a lot of work to do.

While it is good news that more boards of directors are talking about cybersecurity, there is a problem: These discussions are too often prompted by a headline-grabbing data breach or hack that has rattled the business or its peers in the industry. This reactionary approach needs to change if boards and executive management truly want their organizations to be prepared to weather a cyberattack or other disruptive cyber event, and its potential consequences.

Success in a digitized world hinges on effective cybersecurity

Taking a more proactive view toward cybersecurity will also help businesses to succeed in a digitized and hyperconnected Internet of Things (IoT) world. At the World Economic Forum’s annual summit in Davos, Switzerland, this year, cybersecurity experts discussed how this rapidly emerging world will help businesses to reach new heights of productivity — provided they build effective cybersecurity.

This future is not far off, which is why there is an urgent need for boards and executive management to change how they talk about cybersecurity. They need to focus less on worrying about the potential reputational or financial risks of a single embarrassing cyber incident, like a phishing campaign that targets the CEO, and focus more on helping the business define and develop an overarching set of activities that will help it create a stronger, more resilient security environment.

Board engagement as a cybersecurity success factor

For those boards that still view cybersecurity as primarily an “IT problem” — and they are still out there — Protiviti’s 2017 Security and Privacy Survey presents some findings that should help to change at least a few minds. The research found that organizations that are top performers in terms of adhering to security and privacy best practices have two critical success factors present:

  • Their boards of directors have a high level of engagement in, and an understanding of, information security risks that the organization faces.
  • They have a comprehensive set of information security policies in place, including acceptable use policies, data encryption policies, and social media policies.

One-third of businesses surveyed describe their boards as highly engaged with information security risks. This is a five-point increase from the 2016 survey. Protiviti’s survey report notes that this positive trend “reflects the fact that the [information security] issue is not merely about technology, but rather represents a top strategic risk” for today’s businesses.

Fostering more meaningful discussions

In addition to seeing security as just an IT’s problem, another reason many boards fail to have meaningful cybersecurity discussions is the sheer complexity and tremendous scope of the issue. Technology touches almost every aspect of the business, and cyberthreats that target systems and data are growing in sophistication. IT teams themselves struggle to understand the rapidly evolving cyber risk landscape.

Another problem: Boards are often provided information about cybersecurity risks that is far too technical. Cyber risks and recommended solutions for addressing them are not being described by technology leadership in business terms that the board can swiftly analyze and make decisions on.

In our 2017 Security and Privacy survey report, we recommend that technology leaders take care to clearly communicate relevant security matters to all stakeholder audiences. For boards, in particular, they should provide information in nontechnical terms to the extent possible, and prioritize discussion of issues based on the business risks that each risk poses to the organization.

By the same token, Protiviti’s security experts who authored the survey report advise boards to start “asking more, and more detailed, questions about organizational security efforts.” These questions, which should be posed to business, technology and internal audit leaders alike, should include:

  • Do we know how the company’s critical data is collected, stored and analyzed?
  • What framework or activities does the business have in place, or is it developing, to help protect our data and our intellectual property?
  • How is the success of those activities measured?
  • If the organization experiences a significant breach, what is the response plan?
  • How are employees trained on cybersecurity issues, how often and by whom?

These are just some examples of baseline questions that can help boards at technology, media and communication companies begin to have more productive and forward-looking conversations about cybersecurity with the business. More important, these questions will help to lay the groundwork for proactive discussions about emerging risks around digitization and the IoT — the next major technological challenges that technology, media and communication businesses must be fully prepared to face if they are to survive.

IT Security and Privacy Survey Webinar Highlights

Cal Slemp mugScott LaliberteBy Cal Slemp, Managing Director, IT Security and Privacy
and Scott Laliberte, Managing Director, Vulnerability and Penetration Testing



We covered the release of our 2015 IT Security and Privacy Survey here on our blog in September, but given the survey’s finding that there was a widespread lack of cybersecurity confidence among organizations surveyed, we wanted to revisit this important topic with discussion from our October 27 webinar.

Cyberattacks are increasing in frequency and sophistication. One in three targets falls victim. If your organization is not keeping pace with the threats, then you are falling behind.

Directors take note: The most significant differentiator in an organization’s preparedness for a security breach or cyberattack is the degree to which the board is engaged in IT security and asking hard questions that management has to answer. These include:

  • Does the organization have a formal and documented IT crisis response plan?
  • Is it tested at least annually?
  • How robust is the testing – perimeter only, or more enterprise-oriented war games? Does it evaluate the efficacy of breach detection and kill chain disruption?
  • How deep is our training/knowledge?
  • What is our average time to detection of breaches and how does it compare to the industry?
  • Are we testing for social engineering attacks?

Executives beware: The cyber threat landscape is evolving faster than typical IT security measures can keep up. One of the rising threats is social engineering attacks (especially spear phishing), designed to trick high-level executives into downloading malware/spyware. Statistics show that such schemes have over thirty percent success rate. This rate can drop significantly with proper training but even so, it only takes a single high-level breach to gain access to high-value, “crown jewel”-type information.

In addition to the questions listed above for board members, executives should be asking:

  • Who is responsible for IT governance – especially information security?
  • Does everybody in the organization know that?
  • How deep is our bench? If one or two key people were removed from the chain of command, would we still be able to effectively executive our crisis plan?
  • What are our “crown jewels?” What information do we have that needs to be protected?
  • How would we know if we’ve been breached?

IT leaders: Make sure you’ve got your bases covered. Recognize that the threat landscape is constantly changing. Stay up to date on data security certifications, such as ISO 27001 and PCI DSS. Make sure you have a solid, vetted IT crisis plan in place, test it regularly, communicate it to employees and train everyone in their role. Drill your team with real-life war game scenarios until you are confident that everyone knows their role and your plan will work as intended. Pull out a couple of key people and run the simulation again to ensure sustainability. Constantly ask yourself: “What are we missing?”

It is worth pointing out that most breaches go undetected for more than 6 months, and are usually discovered by a third party. This highlights the need to test detection capability, in addition to response capability.

The survey revealed a decrease in certain key IT security elements – such as policies and training – over the past three years. Although disconcerting, such dips are not uncommon as organizations transition from a rote “check-the-box” mentality to real readiness.

All signs point to an increased awareness of IT security challenges. For a more robust discussion and solid background on this issue, listen to the webinar and download the survey report.