Cybersecurity: Making it a boardroom priority

In today's digital-first world, cybersecurity has become a critical responsibility for every organisation, whether it's a government agency, a small business, or a large corporation. Once considered the responsibility of IT departments alone, cybersecurity now demands active involvement from executives and board members. 

As cyber threats grow more sophisticated, leadership needs to take a hands-on role in shaping and overseeing cybersecurity strategies. Strong cybersecurity governance not only protects an organisation's digital assets but also preserves its reputation, customer trust, and legal compliance.

The first step for board members and executives is understanding the broader cybersecurity landscape. Cyberattacks are evolving rapidly, and new threats such as ransomware, phishing, and vulnerabilities within supply chains are becoming increasingly common. 

"Cybersecurity is not a cost centre; it is an enabler of trust and a key pillar of a digital business strategy."

Satya Nadella, CEO of Microsoft

Staying informed about these risks is crucial. Engaging with cybersecurity experts enables leadership to make informed decisions while navigating this complex and fast-changing environment. 

Additionally, it's essential to understand the legal and regulatory framework, including data protection laws like GDPR/ CCPA, and local regulations. Non-compliance can lead to significant financial penalties and reputational damage. For example, in 2020, British Airways was fined £20 million by the UK's Information Commissioner's Office for a data breach that affected over 400,000 customers, underscoring the financial and reputational risks of failing to prioritise cybersecurity.

Cybersecurity should no longer be viewed as an isolated technical issue but as a crucial part of the overall business strategy. As former US Secretary of Defence, Robert Gates, aptly put it, "If you think security is expensive, try a breach." Cybersecurity is not just about protecting data—it's about safeguarding financial stability, brand value, and customer relationships. 

Therefore, board members and executives must ensure that cybersecurity initiatives align with the organisation's broader goals and risk management framework. Integrating cybersecurity into the company's core risk management strategy allows leadership to make well-informed decisions that drive growth while minimising exposure to cyber threats.

Creating a strong cybersecurity posture requires fostering a culture of security across the entire organisation, starting from the top. Executives and board members must lead by example, prioritising cybersecurity and clearly communicating this commitment throughout the organisation. 

Employees must understand that cybersecurity is everyone's responsibility and that their actions play a vital role in protecting the organisation. Regular training programs, especially on common threats like phishing and social engineering, help employees identify risks and respond quickly and effectively when faced with cyber threats.

Clear roles and responsibilities are essential in cybersecurity governance. Appointing a Chief Information Security Officer (CISO) or an equivalent position is critical to ensuring focused attention on cybersecurity. 

The CISO should report directly to the board or CEO to ensure that cybersecurity issues receive the attention they deserve. Board members should actively participate in approving cybersecurity policies, budgets, and major initiatives to ensure clear accountability and oversight. 

A good example of this is JPMorgan Chase, where the CISO worked closely with the board to create one of the most robust cybersecurity frameworks in the financial industry, strengthening the bank's resilience against cyberattacks.

To support a strong cybersecurity foundation, organisations should adopt established cybersecurity frameworks like ISO 27001, the NIST Cybersecurity Framework, or the CIS Controls. These frameworks provide guidelines for assessing and mitigating cybersecurity risks. 

Coupled with comprehensive policies covering encryption, access control, incident response, and vendor management, these frameworks help build a strong cybersecurity infrastructure. Regularly reviewing and updating these policies ensures they remain effective against emerging threats. Cybersecurity is an ongoing effort, requiring continuous evaluation and improvement.

Measuring the effectiveness of cybersecurity efforts is another critical component. Board members should ensure that key performance indicators (KPIs) are in place to track the success of cybersecurity initiatives. 

These may include metrics such as incident response times, patching rates, and employee training completion. These indicators provide insights into how well the organisation is managing its cybersecurity risks and guide decision-making. Having these metrics in place also enables leaders to take corrective actions quickly if any gaps are identified.

Despite all precautions, no organisation is entirely immune to cyberattacks. That's why an effective incident response plan is essential. This plan should define clear protocols for detecting, responding to, and recovering from cyberattacks, involving collaboration between legal, communications, and IT teams. Regular simulations and tabletop exercises ensure that everyone knows their role and can respond swiftly in case of an actual cyberattack.

Ongoing investment in cybersecurity is crucial for staying ahead of emerging threats. Board members must allocate adequate resources, both financial and human, to support ongoing cybersecurity initiatives. This includes investing in the latest technologies, hiring skilled cybersecurity professionals, and providing continuous training. 

As Satya Nadella, CEO of Microsoft, put it, "Cybersecurity is not a cost centre; it is an enabler of trust and a key pillar of a digital business strategy." Cybersecurity is not just about risk avoidance—it's a fundamental enabler of business growth and digital transformation.

Engaging with external experts for third-party assessments and audits can further strengthen cybersecurity governance. These independent evaluations help uncover vulnerabilities that internal teams may overlook. 

Collaborating with industry peers and participating in information-sharing networks also enhances the organisation's ability to stay informed about the latest threats and trends.

Finally, compliance with data protection laws is essential. Regular audits of data protection policies help minimise legal risks and maintain customer trust. In the unfortunate event of a data breach, having a breach response protocol in place ensures the organisation can act swiftly to minimise damage and preserve its reputation. 

As cybersecurity expert Alissa Knight aptly stated, "Data privacy and security are the foundation of trust, and trust is essential for thriving in today's digital economy."

Cybersecurity governance is an ongoing, dynamic process that demands the active involvement of board members and executives. By understanding the cybersecurity landscape, aligning security initiatives with business strategy, fostering a culture of security, and establishing clear roles and frameworks, leadership can protect their organisations from the ever-growing threat of cyberattacks. 

Ultimately, strong cybersecurity governance not only safeguards digital assets but also ensures the long-term success of an organisation in an increasingly interconnected world.

B M Zahid ul Haque is an Experienced CISO and Cyber Digital Transformation Strategist. The author can be reached at bmzahidul.haque@gmail.com.

Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions and views of The Business Standard.