The importance of cybersecurity in safeguarding a business’s assets, financial resources, reputation, and investor confidence cannot be overstated. As a result, boardrooms are increasingly recognizing the critical role cybersecurity plays in mitigating risks to their organizations.
Steve Durbin
Chief Executive, Information Security Forum
Steve Durbin is a frequent speaker on the Board’s role in cybersecurity and technology.
Let’s delve into the nine major concerns that are currently at the top of boardroom agendas regarding cybersecurity, ranging from data breaches and privacy violations to regulatory and legal risks. Understanding and addressing these concerns is essential for business leaders to demonstrate the strategic value of cybersecurity.
1. Data breaches and privacy violations
Boardrooms express significant worry over data breaches and the exposure of sensitive data like intellectual property, financial records, and customer data. Failure in cybersecurity defenses can result in regulatory scrutiny, civil lawsuits, penalties, and loss of customer trust. Prioritizing data preparedness to prevent cyberattacks and privacy infringements is a top concern for boardrooms.
2. The SEC’s cybersecurity disclosure rules
The U.S. Securities and Exchange Commission (SEC) Risk Management, Strategy, Governance, and Incident Disclosure rules that came into effect last year have introduced a range of critical considerations for public company boardrooms. Namely, explicitly understanding the SEC mandate, establishing risk management and governance strategies, appointing oversight committees responsible for mitigating cyber risks, and, finally, disclosing “material” security incidents in annual reports.
3. Skyrocketing ransomware costs
Ransomware attacks have become a major boardroom concern. Organizations that are victimized by sophisticated ransomware experience major disruptions and downtime, million-dollar extortion demands, legal and insurance implications, potential supply chain stoppages, and erosion of business reputation. On average, businesses shell out about $5 million in ransomware recovery costs.
4. Evolving geopolitical threats
The Middle East conflict, the war in Ukraine, tensions between the United States and China, and general competitive pressures create conditions where state-sponsored threat actors and hacktivists seek to attack organizations in order to disrupt them, steal sensitive data, or conduct espionage. Furthermore, there is a disturbing rise of threats to infrastructure by adversaries from anti-Western nations such as North Korea, Iran, and Russia.
5. The rise of AI-powered threats
Artificial intelligence and machine learning are arming malicious actors with new capabilities, enabling them to execute attacks more efficiently and with a higher degree of precision. Using AI, attackers can target or impersonate business executives and employees, use deepfakes to spread disinformation and undermine democratic institutions, automate cyberattacks, and expose hidden vulnerabilities. AI introduces greater data security and privacy risks; employees share sensitive data with AI, which can lead to data breaches. Attackers can also prompt engineer AI to override its security protocols and manipulate it to reveal hidden data.
6. Supply chain security
The globalization of the supply chain introduces major cybersecurity risks, and this is raising boardroom concerns. Any breach or cyberattack on a supply chain partner can compromise the entire ecosystem. Cybercriminals tend to target weaker links in the supply chain or attack software supply chain vendors to infiltrate larger, more secure organizations.
7. Resilience and preparedness
As cyberattacks increase in scale, intensity, and frequency, boardrooms are concerned about prevention and resilience. How prepared is their business to thwart a cyberattack? Do they have enough security expertise and resources at hand? How quickly can they recover? Do they have incident response and contingency plans? Is the infrastructure stress-tested? These are top-of-mind boardroom concerns.
8. Security ROI
Boards are responsible for overseeing the company’s financial health, including its profitability, cash flow, and efficient allocation of capital. They rely on security and risk leaders to furnish credible data that can elucidate the concrete and abstract ROI advantages yielded by security expenditures, thereby enabling more informed decision-making on capital allocation. The challenge of substantiating security investment and strategy with data frequently remains unaddressed, raising concerns about security ROI in boardrooms.
9. Regulatory and legal risks
The regulatory environment, especially around data privacy and cybersecurity, is becoming increasingly complex, with boardrooms having to ensure that the organization complies with various local, national, and international laws and regulations. Non-compliance can result in legal action, severe penalties, and other disruptions. Ensuring compliance with regulations and the management of legal and privacy risks across nationalities and jurisdictions can be a major boardroom concern.
Demonstrating cybersecurity proficiency to investors and stakeholders is no longer an obligation, it has become a liability. It is imperative that security leaders alleviate boardroom concerns by reframing cybersecurity as a strategic investment and aligning security objectives with business goals.
