7 Critical Things Your Board Should Address About Cybersecurity and Privacy

The growth in size, number and sophistication of cyber breaches over the last 10 years has catapulted cyberthreats to be one of the greatest threats of the 21st century. Governments around the world have developed strict data security and privacy laws including GDPR and CPAA in efforts to protect citizens. Data security and privacy have quickly become critical board-level topics. 

This has changed the game for businesses of all sizes. Customers are now requesting details about information security practices as part of the buying process. They need to be assured that their data is in good hands. If you are unable to demonstrate that you take information security seriously, they will no longer be able to work with you. This means losing customers and seeing growth and revenue drop. If you agree to follow security standards or privacy regulations in your contracts and don’t actually follow through on implementation, then you are leaving your business exposed to the risk of fines and lawsuits. 

Most boards have come to this realization by now, but the next question is: What should boards be doing to ensure their companies are doing the right things? As the CEO of a company that specializes in information security, I have a few suggestions.

Ensure your organization has:

1. Appropriately assessed which privacy regulations it is required to adhere to. The company should also have established an appropriate security standard or framework that meets its needs. If you choose to consult with information security and privacy specialists to help with this, verify that they have a strong understanding of your business and the customers you sell to. 

2. Focused its efforts on risk. Although standards and frameworks can help create benchmarks and provide guidance, they can also cause teams to burn resources on trivial details while delaying addressing critical gaps. Prioritize initiatives based on risk. Focus on the areas of greatest risk first, and then continue to tighten up other areas.

3. The appropriate skills to assess and mitigate risk. With that, make sure compliance is managed on an ongoing basis. Security and privacy expertise are required beyond the initial stages of assessing risk and designing a privacy and security program. These skills must be available to the business on an ongoing basis. This might mean hiring a full-time chief security or privacy officer or, for smaller businesses, having an expert on retainer or engaged at regular intervals. It is also helpful for the board to up its information security and privacy game either by recruiting an expert or by having current board members attend conferences, courses or webinars on the topic. 

4. Determined which senior member of the team owns security and privacy. If there is not a person on the team who owns security and privacy, or if they are not held accountable for implementation and maintenance, then security and privacy constantly fall to the sidelines. This leaves the organization vulnerable to breaches, lawsuits and loss of revenue.

5. Documented its information security and privacy program. If it's not written down and shared with the team, then it will not be followed, thus leaving every single team member to manage (or ignore) security within their own interpretation. 

6. Conducted testing and auditing regularly (and is continuing to do so). A review of these results should be a regular board item. Without a process or system to test your organization's security and privacy practices, there is no way to know if these practices are being implemented effectively. Additionally, testing demonstrates to team members that noncompliance will be discovered and that there will be consequences. 

7. Documented an incident response and disaster recovery plan. Despite all efforts, it is highly likely that at some point in your company’s journey, there will be a cyber incident of some sort. It is critical to have a plan to contain the situation, minimize damage and keep the business moving forward when this happens. This includes having an appropriate business continuity and disaster recovery plan, as well as ensuring that the business has appropriate insurance to cover the potential financial losses that can occur from a breach. 

Data security and privacy are the responsibility of the board. Board members should allocate time to learn more and make sure that appropriate attention and resources are being allocated. If the company is not delivering on its requirements, it is susceptible to loss of revenue, data breaches and potential lawsuits. It is critical for the board to address privacy and security in the same way it addresses all other risks to the business.

Originally published at https://www.forbes.com/sites/forbesbusinesscouncil/2020/07/27/cybersecurity-and-privacy-recommendations-for-boards/#5504296d7e22 on July 27, 2020.