By Dave DeWalt, Founder and CEO, NightDragon
In 2022, millions of individuals were affected by cyberattacks in the United States alone, with each attack costing an average of $4.45 million. By 2025, the cumulative losses from all these attacks are expected to top $10.5 trillion – a staggering number. And yet despite this rising risk targeting businesses of every size and industry, there remains a large gap at the highest levels of our nation’s largest organizations when it comes to cyber literacy and education.
In a recent study released by NightDragon and the Diligent Institute, a survey of all S&P 500 board members found that 88% lack an executive with specialized cybersecurity experience on the board and only 1.4% have a CISO or former CISO board member as a part of their ranks. In addition to that, 7% lack similar specialized experience in other technology categories.
It is more important than ever for organizations to close this education and expertise gap. Boards have a fiduciary and role responsibility to guide their organization to mitigate risk. In addition, the Biden administration is in the midst of mandating that companies quickly disclose breaches and publicize risk mitigation strategies as part of its annual regulatory reporting requirements and the U.S. Securities and Exchange Commission has adopted new regulations around the topic, among other efforts.
While it might not be realistic or even ideal for every organization to add a specialized cybersecurity expert to the board, there are immediate steps organizations can take to increase their cybersecurity awareness, and more and more boards are looking to add cyber expertise to their ranks or increase education amongst existing board members.
Some considerations could include:
1. MAKE EDUCATION A PRIORITY
Companies can help their board make informed decisions regarding risk by educating their existing board members on the current threat landscape and on new technology categories. Some CISOs will do quarterly “brown bag” lunch meetings, where a different cyber topic is discussed in detail at each. Enrolling their board in cyber certification programs would also be another positive step. See the resources listed at the end of this article.
2. REGULAR BOARD REPORTING
Ensure your CISO or security team leads regular (quarterly or more) reports to the board on the state of business and its risk mitigation efforts, including an overview of the company’s current risk profile, as well as insight into recent threats that could ultimately affect the organization.
3. INTEGRATE INTO COMPANY STRATEGY
While cybersecurity should be a fixture in the company’s regular reporting schedule, board directors should also consider how it can be tightly integrated into every piece of the company strategy on an ongoing basis.
4. PRACTICE, PRACTICE, PRACTICE
While we always want to hope for the best, we should also prepare for the worst – no matter the makeup of the board. Boards should consider and prepare for what steps they would need to take if a cyber incident were to occur. This could include tabletop exercises, where incident response is practiced, like a fire drill.
5. ADD CYBER EXPERTISE DIRECTLY TO THE BOARD
While education helps to close the gap around cybersecurity, businesses can also consider if adding a CISO to the board directly makes sense for their needs. There are many former CISOs or former cybersecurity leaders now looking to sit on or advise boards, as well as a business’ own CISO.
Every corporate board risks falling short in their duty to shareholders if they don’t take this threat of cyberattacks seriously. An industry expert or educated board can have a significant impact on interpreting cybersecurity posture and helping to guide future strategy in a way that will drive long-term success for the business.
Getting educated on cybersecurity will only become more important as technologies like artificial intelligence emerge. AI and other constantly evolving technology advancements are poised to further amplify the power, strength, and lasting impact of cyber incidents. There’s not a more important time than now for boards to consider how they can work together with others in their industry or broader business community to share best practices around cybersecurity, as well as how they can work in public-private partnerships with government organizations.
As executives, board members, and leaders at companies in every industry, we all have an important role to play in closing this gap and mitigating risk from bad actors. Let’s all vow to take a step back and consider the state of our organization’s board now, because the situation is only going to get worse. Make a plan before you’re hit with a cyber-attack.
If you’d like more information regarding boards and cyber education, please visit the sites below:
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.
Image and article originally from www.nasdaq.com. Read the original article here.