A recent report from the National Association of Corporate Directors and the Internet Security Alliance makes the case that boards are taking a lead role on cybersecurity issues. Good thing, too, because cybersecurity and innovation are often at odds.
The technical work that comes with running an organization of any kind offers up a natural tension that can at times prove difficult to get past.
To keep a competitive edge, you often need to do things like offer BYOD to your employees or (carefully) test technology from an experimental new startup. But these are often at odds with recommendations from the security community, which err in favor of locking things down a little bit more.
So where do you lean? Honestly, it’s an area where having the board speak up would be useful. Are they up to the task?
The answer, for most organizations, appears to be yes—if in need of some thoughtful updating from time to time. According to recent data from the National Association of Corporate Directors (NACD), 79 percent of board directors say that their board has an improved understanding of cybersecurity compared to two years prior. Additionally, the report finds that 66 percent of directors feel that their board is confident enough to properly respond to a serious cyberbreach.
This reflects a change in mindset, according to the Director’s Handbook on Cyber-Risk Oversight 2020 [PDF], a guidebook for boards recently released by NACD and the Internet Security Alliance. On the heels of a separate report NACD released last fall that discussed the need for board leaders to keep up with change, the report offers some good news about the board’s willingness to step up, that being the fact that the task of security isn’t just being unloaded onto the IT department.
“Over the last several years, technology and data have moved out of their supporting roles and taken center stage as critical drivers of strategy,” the report states. “Executives and board members in organizations of every size and sector now recognize that they need to respond to transformational forces that are ‘global and highly complex, encompassing new business models, new entrants and new markets—and always with the looming prospect of next-wave technology disruptors.’”
The report, which was written with input from the U.S. Department of Homeland Security and the U.S. Department of Justice, takes a look at the risk oversight issue from a variety of basic angles, including strategic risk, legal considerations, board oversight, the need for a risk framework, and ways to measure cybersecurity within an organization.
It even has a detailed toolkit with specific tips for board member cybersecurity—including keeping devices updated, keeping logins and wireless accounts locked down, and backing up data frequently. It may sound like a lot to manage on top of all the other things a board member is asked to do, but there’s a reason for it.
So, back to the innovation vs. security question: There’s no guarantee on how a board might actually lean, as each one is different, but per NACD’s 2019–2020 NACD Public Company Governance Survey [NACD membership required], 61 percent of directors would be willing to bend the rules on security in the name of innovation, while 28 percent would favor security needs over all else. Which may not be how your IT head decides things, but it nonetheless highlights an important voice that needs to be in the room when these concerns come up.
In a recent news release, NACD CEO Peter R. Gleason noted that the pressure to innovate in an era of rising security needs reflects a need for the board to get involved.
“Boards must work with their management teams to reconcile the need to transform themselves digitally with the need to ensure underlying data assets are properly secured,” Gleason said in the release.
We’re in a world of knotty questions, and in the modern age, the conflict between security and digital transformation is one of the hardest to solve.
So it’s encouraging that boards appear to want to be a part of this conversation. Hopefully your board does too.