Cyber risk is no longer a concern for only the Chief Technology Officer
From the Boston Business Journal series
Cyber risk is not just the responsibility of the Chief Technology Officer. Who else should be concerned?
Cyber risk is no longer a concern for only the chief technology officer
An employer’s perspective, as shared by William K. Bacic, New England managing partner, Deloitte LLP
It is no secret that cyber risk has become a leading enterprise-wide risk for today’s companies. However, cyber risk is not just the responsibility of the chief technology officer, or the chief information security officer. Today, many board members are becoming involved in making sure that their organizations is aware of the primary ways that a cyber incident could impact their businesses, and taking necessary precautions to manage those risks.
Many strategic undertakings can introduce new cyber risks. One of the key roles of the board is to ensure that an organization has the ability to ask the right questions and to identify when cyber risk issues need to be put on the table. In some organizations, it may be necessary to recruit new board members with the talent and experience to bring this dimension.
While the board will likely not get involved in the details of the cyber risk program, the board should play an active role in ensuring that the cyber risk program is aligned to a business risk profile; this profile reflects an understanding of likely attackers, objectives, and which assets are most at risk. By asking the right questions, the board can challenge management to help create a more tightly aligned program. Potential questions could be, “What executive should be leading cyber risk management?” or, “What are the greatest cyber threats to our organization?” Asking these questions may help board members understand what areas require more attention, and how they can avoid an incident from occurring.
If they haven’t already done so, board members should also consider the following:
- Is appropriate funding for the cyber risk program being allocated?
- Is management able to produce reports and metrics that show the effectiveness of the cyber program?
- Is the organization prepared to respond in the event of a major cyber crisis? Are roles well-defined, and has it been determined who will be the “voice” of the organization?
During a cyber risk crisis, a quick response is essential. While management is normally the first voice of the organization, board members should consider also weighing in.
Having a diverse set of opinions from the board, including a voice of someone experienced in cyber risk, allows for the presentation of a new set of opinions, perspectives and viewpoints on management’s plan and response tactics.
Practicing cyber war gaming can be an effective way of raising the board’s level of awareness and understanding.
The board’s role in cyber risk oversight is evolving, and I cannot emphasize enough the importance of having strong dialogue with management. Without this close communication between boards and management, your organization could be at risk.