I believe it is safe to say that some board of directors are not cyber security experts – nor should they have to be. The board of directors should be moving the company’s business forward, and have the confidence that they have a cyber security team in place. However, I do feel that it still very important for members of the board to stay informed on the company’s cyber risk and understand how to oversee the company’s management of cyber risk. They may want to also know how cyber policy and regulation affects their business risk. Soon investors, governments and others will need to know their cyber security health in a similar way they want to understand their financial health.

 

Ignoring this responsibility could lead to a high risk of exposure for a cyber security breach. For cyber security to be successful there needs to be support and sponsorship from the highest levels of executive management, including support and accountability to the board.

 

The board should require a quarterly document that gives an executive overview of the company’s cyber security posture. This document can used during an acquisition or when having an IPO. Being open and forthright can quickly win the trust of investors.

 

There are many topics, for the purpose of opening discussion please consider the following seven points that the board may want to review to understand the company’s cyber security risk:

 

  1. Updated cyber security assessment and breach mitigation plan
  2. Number and types of breaches in the previous 12 months
  3. Technology shortfalls causing gaps and exposure to risk
  4. Personnel shortfalls causing gaps and exposure to risk
  5. Cost associated with any gaps
  6. Time frame to close each specific gap
  7. Prioritize gaps from highest risk exposure to lowest

 

I could list much more, however, my purpose is to help the board and senior executives consider how much they really understand in regards to their cyber security posture. Requiring the organization to provide those answers will help create a culture of cyber security awareness and improvement. These may also be good points to ask trusted vendors, acquisition candidates, merger candidates, etc.

 

As we are all painfully aware hacks, attacks and breaches are increasing exponentially. The boards’ overall oversight and sponsorship can only help lower risk of litigation and brand degradation. At the very least they and their company may be put into a positive light by refusing to stick their head in the sand and gamble that they will never be breached.

 

For more information regarding how Symmetry’s cyber security managed IT services can help your organization be secure and compliant –  visit Symmetry’s managed security services.

About Scott Goolik - VP, Compliance and Security Services

Scott Goolik is VP of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events. His experience includes working for one of the Big Four accounting firms and developing auditing tools, including those for segregation of duties (SOD). Scott is also responsible for architecting the ControlPanelGRC® solution which provides audit automation and acceleration of security and control processes.