The new year has begun, and the first cybersecurity incidents have already happened. Yet, in the corporate world, it is business as usual. Have we gotten used to cybersecurity incidents? Is it just the price of doing business? Do we know where to start?
In my conversations with numerous board members, finding the starting point was one of the most prominent issues. While focusing on language and the strategic advantage can help put cybersecurity on the agenda, boards sometimes need to find an earlier starting point. Here are three ways some of my acquaintances have gotten their boards started on bringing cybersecurity into the boardroom.
Mentors for Cybersecurity Leaders
Most IT and Cybersecurity professionals make great leaders. From their experience dealing with complex situations to their ability to manage stress and look after others, they have all the hallmarks. Yet, in many cases, they are constricted into the IT world and are seldom given the chance to venture out of it. Board presentations require factual knowledge and the ability to summarize the content in the appropriate business language quickly.
Like every skill, building the ability takes time and valuable feedback. Financial officers often face the same issue and are thus assigned mentors, either externally or from within their department. Boards should give the same opportunities to their technical leaders. With cybersecurity, AI, and digital transformation increasingly mission-critical in business, IT leaders should have access to the same opportunities. Otherwise, complaints about the board-readiness of IT Leaders would be an excuse to avoid taking responsibility.
Table Top Exercises
Getting into the topic might be daunting, notably when the board has never dealt with IT and cybersecurity issues beforehand. Tabletop exercises provide the opportunity to see how the system works during a crisis. Board and management simulate an incident, their roles, and the actions required.
In a way, it starts building the skills backward. Instead of looking at the preventive measures and the strategy for the coming year, you begin by looking at what to do if all goes wrong. As crisis communication is part of many board areas, it starts the discussion from a familiar territory. Consequently, knowledge gaps and areas for continued education will reveal themselves naturally.
Working with a tabletop exercise also feels more relevant than simple classroom-style instruction. By now, everyone should know that incidents happen. It is only a question of when. As there are many companies and incidents to learn from, the practice can use the information already out there, thus creating relevance and urgency organically.
Cybersecurity Advisors at the Board Retreat
Another good option to get started with cybersecurity is to invite an advisor or consultant to the board retreat. During ordinary meetings, there is limited time for inductions and education. Strategy and current events take up most of the time. A multi-day board retreat, however, allows members to put some more complex topics onto the agenda. Thus, a deep dive into the current IT and cybersecurity strategies and priorities becomes possible even when allowing for explanations and questions.
Additionally, the social aspect of the Board Retreat allows technical leaders to get more comfortable interacting with the board. Especially for emerging talent, this can help demystify personalities and processes. Consequently, it might lead to more candid insights than participating in the formal part of a board meeting.
Get Started with Cybersecurity Oversight Now
It only takes a small step to get started. With attacks continuing to plague our societies, boards must oversee this crucial business function. Moreover, with governments tightening regulations and requiring official reports for breaches, boards have little time to get started.
Getting your leadership ready to report, reviewing your disaster and communication plans, and getting experts to teach you can get you started along the way.