According to the National Association of Corporate Directors’ research, just 12 percent of directors rate their board’s level of knowledge about cybersecurity risks as “high.” Here are three ways to help board members and other senior leaders improve their cyber-literacy:
1. Give your reports a tune up
Directors get frustrated when management’s cybersecurity reports are heavily focused on operational metrics and loaded with tech jargon. How frustrated? Less than 20 percent of directors told NACD they were “very satisfied” with management’s cybersecurity reports in our most recent survey. Reports that highlight trends and patterns over time, show relative performance and point to specific business impact will spark productive discussions with non-IT audiences.
Dona Young is the lead director at Foot Locker Inc., and also serves on the boards of AEGON NV and Save the Children International. While her executive experience includes general counsel and CEO roles in the insurance industry, Young is actively engaged in cybersecurity matters on all her boards. She says, “Keep dashboards simple, practical and informative. The board wants to know about context: key risks, trends and preparedness.”
2. Bring in outside perspectives
Cybersecurity is a complex, fast-moving space. Everyone benefits from periodic updates from law enforcement or third-party experts. Chris Wilson, former CEO of Columbia Funds, is a director at ISO New England and a trustee of Invesco Funds. Like Young, he’s a non-IT native who has enjoyed the experience of becoming cyber-literate through his board work.
Wilson says, “It’s critical for boards to get independent [opinions] on cybersecurity issues,” citing external audit firms and regulators as helpful sources.
The board should also ensure that an internal audit’s review processes are keeping pace with cyber-risks. Like members of the management team, directors can also avail themselves of a wide range of cyber-education opportunities to help keep their knowledge fresh.
3. Make it real
In addition to sharing the results of the organization’s tabletop cyber exercises and breach drills with board members, provide directors with hands-on training related to good cyber hygiene, such as phishing simulations. Aside from the practical education benefits, this helps reinforce the notion that cybersecurity is everyone’s job, which will help build a culture of cyber-awareness from the top of the organization down.
Board members and business leaders don’t need to be cybersecurity experts to play an effective role in the organization’s cybersecurity strategy. As Young points out, “Good directors bring intellectual curiosity and a spirit of inquiry into the boardroom. When we apply those skills to cybersecurity issues, we can help our companies and organizations be more resilient.”