What Boards of Directors Are Missing about Cybersecurity

What Boards of Directors Are Missing about Cybersecurity
Written by Brian Thomas
Manager, Content Marketing

Cyberattacks have increased significantly in recent years, bringing vital conversations about cybersecurity into the Boardroom. As Board oversight of cybersecurity has increased, Board members — even those without technical expertise — have had to become rapidly acquainted with IT risk and security concepts. In the past few years, frameworks and best practices have emerged to help these Boards get a grip on their organization’s cybersecurity posture.

However, while there are many lists of what Boards of Directors need to ask about cybersecurity, the more important thing might be what they’re not asking. Each organization has a unique risk profile — when Board members rely too heavily on predetermined frameworks and cyber security risk assessment checklists, they risk passing over the most urgent risks.

What Are Board Members Missing? The Dangers of Bike-Shedding

When there is incongruity between the extent of the Board’s cybersecurity knowledge and the level of decision-making authority they hold, that’s a recipe for bike-shedding.

Bike-shedding occurs when a team spends an unnecessary amount of time on trivial details, neglecting the big picture. It usually happens because the most important issues are so complex that teams focus instead on simpler, more solvable problems. The term originates from the story of a committee that approved flawed plans for a nuclear power plant because they wasted time discussing details about the plant’s bike shed.

[Learn about the core elements of risk-based reporting.]

Here’s an example: let’s say that a Board of Directors has learned about a recent ransomware attack on a competitor. Each Board member has a decent understanding of how ransomware works and how dangerous it can be, and in the next Board meeting they discuss different ways their organization might be targeted, possible ransomware prevention initiatives, and whether or not the company’s firewall and detection tools are sufficient. After discussing and voting on those details, they quickly run through the rest of the cybersecurity agenda items.

Meanwhile, there are several much more pressing cybersecurity threats facing the organization, none of which get adequate attention from the Board. Malware prevention, while important, is receiving a too-large share of resources because it’s more visible and easier to get a handle on than these other issues. The Board has gotten hung-up on one tactical detail, rather than assessing their organization’s cybersecurity strategy as a whole. This is bike-shedding in action.

Here are some cybersecurity issues that might need more attention from the Board of Directors at your organization, and tips for addressing them.

Third-Party Risk

Rather than coming directly through an organization’s systems, many cyber attacks originate in the systems of third parties. Third-party data breaches are among the most expensive, so a solid understanding of supply-chain risk is essential for many enterprises.

Regulators are increasingly targeting third-party risk. Wide-reaching laws like GDPR and industry-specific regulations like the New York Department of Financial Services (NYDFS) Cybersecurity Regulation and NERC CIP-013 in the utilities industry provide specific requirements for managing third-party risk.

But third-party risk is complex. When an organization has hundreds or thousands of third parties with access to sensitive data and systems, keeping the company secure becomes extremely complex.

cyber risk reporting ebook

Learn how to revolutionize the reporting process at every level of your organization.

Thankfully, there are tools on the market that make this task more manageable. Security ratings, for example, can help you gain an understanding of your supply chain’s strengths and weaknesses, continuously monitor third-party risk, and set measurable security expectations for vendors and partners.

Fourth-Party Risk

As challenging as it can be to keep track of your own third parties’ cybersecurity, things get even more complicated when those partners also share access to important data and systems with other parties. Third parties’ third parties (your fourth parties) have the potential to impact your business, so it pays to know what kind of standards your partners have for their third-party connections.

Fourth-party risk is especially problematic when it comes to software and cloud services. Outages at major providers have caused downtime across wide swaths of the internet, and making a recovery plan for these scenarios can seem near-impossible considering the exponential nature of fourth- (and fifth-, and sixth-) party risk.

It can be helpful to simply open up a conversation with your third parties about their supply chains in order to gain a better understanding of their risk management expectations. However, their suppliers will likely change over time, and you might not be notified of every change. With tools like Bitsight Discover, you can map and monitor the service providers used by your vendors and utilize that data to make more informed procurement decisions and disaster recovery plans.

User-Related Risk

Human error can expose an organization to a wide array of cyber attacks, and business leaders say that employee negligence is the most common cause of data breaches. Phishing, for example, was implicated in 32% of data breaches in 2018. In addition, poor password practices, connecting to public Wi-Fi from company devices, and sharing files that contain malware are all examples of employee mistakes that could translate into huge costs for any organization.

Overcoming user-related risk is challenging. After all, it only takes one user and one click to expose an organization to risk.

Security awareness training can give employees a better understanding of their role in cybersecurity, but it’s also important to create a company culture of accountability. This can be achieved by communicating with business unit leaders about cybersecurity performance, and providing them with measurable benchmarks for success, like security ratings that can be tracked over time. These benchmarks can also become cybersecurity metrics for the Board, helping Board members understand user-related risk within the organization.

Overcoming Bike-Shedding and Filling in the Gaps

Is your Board looking at the big picture, or are they focusing on the cybersecurity tasks that feel most manageable to them?

When it comes to Board oversight of cybersecurity, bike-shedding is a real issue. However, with the right tools, Board members can identify the most urgent risk areas and work on strategies to address them.

One of these tools is security ratings. Because they require very little technical knowledge to understand, security ratings can give Board members accessible, valuable insight into the cybersecurity performance of your organization (as well as that of third- and fourth-party connections), improve the Board’s understanding of complex cybersecurity topics, inform decision making, and help create a more secure organization.

Are you ready to make more informed cybersecurity decisions? Download the Practical Guide to Risk-Based Cybersecurity Reporting.