Cyber: Exercising board oversight responsibility

Cyber security is only as strong as your weakest link – and the weakest link is most often the people. Communication is beneficial for all.


When we work with boards of directors, one of the areas we really want to focus on is really: What are the priorities companies should think about when they consider cyber and cyber risk.

Some organizations just like to focus on the technology aspect of it, and while that's an important area, it's one of only six areas we believe companies should be focused on

The first one starts with leadership and governance. Do we have the right team able to make the right decision over our cyber approaches?

Are we sure that our processes and our technology investments around cyber link to our business priorities, while making decisions timely and effectively.

Two, what about the human capital – our employees, our business partners? Are we sure that they're being trained and properly aware of how they're using information? Today, every employee is really some form of a knowledge worker.

No. 3, and this is very, very hard to do. Do we know what information we really have, and do we know where it's stored and how it's protected. That's absolutely critical for organizations to get right.

Fourth, are we prepared if we experience a cyber breach? Do we know what we would say, how we would react, how would we communicate and with whom and at in time frame? If you haven't gone through that before, it's we’ll recommended you build a very solid plan and test that plan accordingly.

Fifth, is that technology control space? It's absolutely critical we get that right. It's fundamental. It's only one of six areas it should be covered when thinking about cyber risk, and six is really the compliance and regulatory landscape, which is changing dramatically at a global scale today and will only increase and become more complex on the U.S. basis moving forward.

We see an organization that can embrace and review all six of those areas really demonstrating do care about cyber and not just focusing on one or two key elements.

So many organizations who have not had the opportunity go through a cyber breach aren't prepared to know who to communicate, how to communicate, how to forensicly respond to that issue. Having a good plan and being prepared for an issue is absolutely key.