Why Board Members Are Suddenly Interested in Cybersecurity

Executives finally see that a proactive solution can transform business intelligence. Now it's your job to demystify it for them.

Board of Directors cybersecurity
Photo courtesy of ThoroughlyReviewed.com

The imperative to get entire C-suites engaged in cybersecurity has created a collateral effect: a surge of board-member interest in the value of companies’ security investments.

This could be a knee-jerk to the expanding landscape of breaches and domino effect of damages they incur. Or it could be a reaction to the Cybersecurity Disclosure Act of 2017. The bill, currently making the rounds in Congress, will, says Security Week, “make the board legally and transparently responsible for cybersecurity.” This puts even more onus on enterprise security teams to button-up, yet demystify, security.

We’ve collectively come to realize that threats—both those originating inside the enterprise and others infiltrating it—cannot be stopped. Instead, they must be mitigated. An IT team’s challenge is finding a solution that’s holistic. It should immediately react to the earliest stages of an attack, while providing useful intelligence for other departments, thus nurturing business growth.

A June 2016 Osterman Research survey of board members reveals that:

  • 59% say one or more IT security execs will lose their jobs for failing to provide actionable information
  • 54% agree or strongly agree that the data presented is too technical
  • 85% think IT and security execs need to improve how they report to the board
  • 2 out of 5 are not convinced that risk is reduced, based on discussions with their security teams

Meanwhile, the National Association of Corporate Directors (NACD) recently released its “Cyber-Risk Oversight” handbook. CSO online breaks down its five main principles, which can be further distilled into one overarching concept: Cybersecurity may serve singular purposes to different employees, but it must be treated as an enterprise-wide collaboration.

Some companies are attempting to bridge the divide between IT and business imperatives by adding security vets to their ranks. Techtarget points out, for instance, that Huntington Bancshares, Inc. appointed ex-NSA deputy director Chris Inglis to its board. And Sally Beauty Holdings, Inc. elected Erin Nealy Cox, a former executive managing director at the risk-management company Stroz Friedberg, to its board’s audit committee.

Yet finding executives with intricate knowledge of technologies (which often require specialized skills) is a tall order. “As it stands now,” Jeremy Bergsman, an IT practice leader at CEB, tells Techtarget, “what they really need is someone to interpret for them.”

But what if companies factored-out the decoding process entirely? From a time and economic perspective, it makes more sense to instead rethink reports.

Enterprises that deploy analytics-based security benefit from greater accuracy—especially in comparison to SIEMs—and don’t require specialized training. Now sharpen those analytics with machine learning, and not only will threat detection grow swifter and more precise, the platform can synthesize its findings into richer reports.

Comparing technology when shopping for an analytics product is, indeed, important. For instance, adaptability is essential: A platform needs to evolve with the enterprise’s expanding data, along with the cyber threats it faces. But that’s only half the challenge. Much business growth hinges on intelligence that’s lucid and therefore actionable. Because what’s the point of a report if no one can decipher it?

With the right insight, enterprises can bypass a long, expensive forensics process with a clear picture of an attempted attack (the who, what, where, when, and how). It would also imbue everyone from IT managers to C-suiters to board members with visibility into areas of risk and help ensure compliance. Ultimately, it would preserve company stability and nurture its growth.

There’s a reason these learnings are called intelligence: They should make your enterprise smarter.