The cybersecurity gap in your boardroom

The cybersecurity gap in your boardroom

I wasn’t shocked at the beginning of this year when cybersecurity failure and IT infrastructure breakdown were mentioned by the World Economic Forum Global Risk Report for 2021 as the highest likelihood risks for organisations in the coming years. Cyber criminals are working more and more as professionally structured organisations which makes their attacks more dangerous and higher risk. Luckily, many organisations have focused more on implementing cybersecurity tools to be able to defend against these attacks. But only implementing cybersecurity tools is not enough anymore against the more advanced attacks. To be able to make a significant change in your defence, cybersecurity should be a part of your strategic decisions.  

The awareness and understanding that is missing

When I ask you the following question: ‘where are the decisions being made in your organisation?’ I think you already know the answer. Management, the boardroom, the CEO are all examples of answers that follow. Everyone knows that if you want something to change, your concern needs to be a concern of the people in your boardroom. And that is exactly where the awareness for cybersecurity is missing. 

It is important that the boardroom is aware of what happens in the organisation. But only being aware is not enough, you also have to understand it. And that is exactly where the problem regarding cybersecurity lies. There is a cybersecurity gap in the boardroom because, apart from the CIO, other members lack the knowledge on the topic to understand everything that is happening in the organisation. The cybersecurity gap is therefore one of a lack of awareness and focus and a lack of understanding amongst board members. So why is this gap in the boardroom present and how can you fill it?

There are several reasons why this gap in the boardroom exists:

1.       The complexity of cybersecurity

With the evolving attack vectors, cybersecurity is becoming more and more complex. However, the discussion usually ends up in talking about low-level operational security metrics that are not aligned with the strategic goals of the organisation.

2.     Missing information

It is often the case that questions about cybersecurity are only asked in the boardroom when something happens. The question that follows from the CEO is: do we have it covered or not? A simple yes or no question, but unfortunately cybersecurity is never that simple. With this single question, the CIO often cannot always give all the information that is needed to understand the complexity of the cybersecurity case.

3.       Translating cybersecurity to business value

In addition, cybersecurity is a complex topic that differs in language from other business topics that are discussed in the boardroom. It can therefore sometimes be a challenge to address cybersecurity in the form of business value and investment risk. It is up to the CIO to translate cybersecurity into business value so everyone in that boardroom can understand the topic discussed. 

?Bridging the gap

However, there are ways you can bridge the cybersecurity gap in the boardroom. First, board members have to take an active role in the topic of cybersecurity so that a discussion on a deep level of cybersecurity can be held. They know a lot about complex financial risks but lack experience in the field of cybersecurity. Second, they have to provide the CIO with the time to explain the complexity of any case that occurs. Finally, the CIO has to help by translating cybersecurity into a language the other members of the board can also understand. 

Be aware that the gap does differ per organisation on where you are in your cybersecurity strategy. Nonetheless I want to challenge you to start creating awareness on the cybersecurity gap in your own boardroom. How would you bring this to everyone’s attention?