A Cyber Security Guide for the Board

How can an organisation’s board engage constructively with cyber security issues so that they can increase the organisation’s cyber security posture, create a security-conscious culture, and drive secure and sustained business growth? NSP presents a brief guide with reasons and solutions.

WHY DOES CYBER SECURITY MATTER TO THE BOARD?

Cyber risk is an integral component of business risk, and there are several good reasons why your board should be thinking about cybersecurity issues.

• Upcoming changes to New Zealand’s privacy laws, due November 2020 are increasing organisational responsibility around the protection of personally identifiable information (PII).
• The upcoming PII legislation pertains not just to the organisation, but to individuals too, so board members can be deemed liable.
• A data breach or ransomware attack threatens organisational reputation, putting partner and customer trust to the test.
• Stolen or destroyed intellectual property (IP) delays projected growth rates
• If an attack paralyses organisational IT for more than 48 hours and impacts productivity, the bottom line of the business will be affected.

WHAT CAN THE BOARD DO?

The board is the key driver of the cyber security strategy and culture and must help craft the policies that aim to protect the organisation from the threats that are out there. Coming from the top, they can help create a culture that sees these policies as a positive benefit to the organisation.
The Ponemon 2019 ‘Cost of a Breach Report’ shows how the board can directly and through strategy minimise the impact of a breach. Ponemon has calculated that a data breach costs USD 150 per record. Various factors can increase or decrease this cost:

• Board involvement can reduce this by USD 7.07
• The appointment of a Chief Information Security Officer (CISO) can reduce this by USD 6.85
• Employee training, which is a crucial culture tool, can reduce this by USD 10.31
• The appointment of a Chief Privacy Officer (CPO) can reduce this by USD 2.08

WHAT ARE THE ROADBLOCKS STOPPING THE BOARD?

The board is rarely made up of experts in cyber security and therefore is isolated from expert advice. Often when it does try to engage with its own IT teams, the two parties have problems communicating clearly to each other about risks and solutions.

WHAT IS THE SOLUTION?

The board can seek the necessary expertise and support from a CISO or Virtual CISO (vCISO) who will help bridge that gap in understanding and assist in the creation of a strategy and culture that creates a secure business.

More about New Zealand Privacy Act 2020.

Learn more about Security Awareness.