The role of the corporate board in cybersecurity
The corporate board bears a crucial responsibility for managing cybersecurity risks that threaten organizations of all sizes. As overseers of the company’s cybersecurity posture, board members must take active steps to protect its assets and data from cyber threats. However, some board members may not fully understand their personal liability for lack of oversight in this area.
Under corporate governance laws, board members have a fiduciary duty to act in the best interests of the shareholders and protect the company from cyber threats. If a board member fails in this duty, they may face personal liability for any resulting losses or damages. According to the landmark 1996 ruling in Caremark, directors can be held accountable if they fail to properly monitor and oversee the company or if their inaction results in a loss. Furthermore, if the company breaches data protection laws, such as the EU’s GDPR, board members may be accountable.
A framework for addressing cybersecurity risk.
To effectively mitigate cybersecurity risk, the corporate board should take the following steps:
- Stay informed: Invite the CISO or vCISO to present updates, but don’t rely solely on these presentations. Have a board member with technical expertise stay current with industry news, attend security conferences and events, and engage with security experts.
- Assess risk posture: Conduct a comprehensive risk assessment to identify areas of weakness and potential vulnerabilities.
- Develop a cybersecurity strategy: Based on the results of the risk assessment, outline steps to mitigate risk and protect against cyber threats, including the implementation of technologies, processes, and training programs.
- Allocate resources: Ensure the organization has adequate funding and staffing to implement and maintain its security posture.
- Foster a culture of security: Encourage security awareness and training throughout the organization and incorporate security into company policies and procedures.
- Insure a true representation of risks: Consider forming a cybersecurity committee working directly with the CISO to ensure a clearer understanding of risks, as executive management may suppress or under-appreciate cybersecurity risks.
- Engage with third-party vendors: Partner with a security vendor to supplement internal security efforts and stay updated on the latest security technologies and best practices.
- Monitor and review regularly: Establish regular review processes to ensure the organization’s cybersecurity posture remains effective, including reporting from the CISO on threats and regular reviews of security policies, incident response plans, and metrics.
Clearly, the corporate board has a critical role to play in mitigating cybersecurity risk. By staying informed, assessing the organization’s risk posture, developing a comprehensive cybersecurity strategy, allocating adequate resources, fostering a culture of security, engaging with a third-party vendor, and monitoring and reviewing regularly, the board can help ensure that the company is taking the necessary steps to protect itself against cyber threats.
More on Cybersecurity
- Your Blog is Under Attack!Blog sites attract cybercriminals. They are simply great targets. Every website with a login (including…
- Need to Migrate your AWS LightSail instance?
Upgrading AWS Lightsail turned out to be fairly easy…but not without some missteps. So my… - Updating SSL on WordPress Multisite by Bitnami
First of all, and this is important, you need to understand that the certificate you… - Updating SSL on WordPress Multisite by BitnamiSometimes installing an SSL certificate is easy but I’ve found that it is often a…
- SSL in Bitnami WordPress Multisite
If you need to setup SSL with a WordPress multisite package, managed by bitnami, you… - Bitnami WordPress Multisite Cookies
We had a problem with the multi-site deployment of WordPress by bitnami. In general, the…
- The Imperative for Cyber Talent on Corporate Boards - March 29, 2024
- Talking CMMC preparation - March 12, 2024
- Protecting Your Business: Strategies to Combat DNS Attacks - February 20, 2024
