Source: Forbes | Tech Council and Juliette Rizkallah | April 25, 2017
Data breaches. First, they were the concerns of CISOs and CIOs. Some even lost their jobs after overmediatized breaches. Then CEOs got the spotlight, especially as brand reputations were damaged and customers left angry and churning. Today, board members are increasingly more involved in discussions around companies’ cybersecurity and measures needed to prevent being thrown into the next big headline..
We've come a long way from the days where board members would ask: Are we secure? They are now requesting scorecards that measure company security posture. They are also asking more questions related to regulations and how security controls can help demonstrate compliance. Soon, we will see boards demanding quarterly cybersecurity briefings -- some directly presented by the CISO -- rather than relying on the occasional update from the company security committee.
Because cybersecurity has experienced a "personality transformation" in recent years, the nature of boards’ attention to cybersecurity is also evolving. Before, it was all about the hardware of the enterprise -- its networks, firewalls and physical location itself. Fast-forward to 2017, and cybersecurity is now wholly centered on the less tangible and harder-to-control pieces: identities. Hackers today prefer people (through social engineering, phishing and other sneaky ways of getting a human to make a mistake) as their attack target du jour, and views on security and the attention of board members have shifted to identity.
This is an important shift, and, interestingly enough, board members will most likely play three very different roles when dealing with identity.
Boards As Targets
As we saw with the now-infamous breach of Colin Powell's email, which exposed a Salesforce M&A target list, board members are and will continue to be hackers’ targets. Board members communicate regularly via email with the companies they advise. Many times, they use their personal email accounts to communicate, which are typically less secure than corporate accounts. Most of the time their communication deals with very sensitive data: M&As, new market entry, personnel reshuffling and reorganization, and the usual financial data. That information, which is usually protected by a company’s full security infrastructure, is just sent over email via a file attachment to a group of directors, easily identifiable and therefore increasingly targeted.
A survey presented by Diligent Corporation's Dottie Schindlinger at the NYSE Governance Services Cyber Risk Board Forum in February reported that 60% of board directors use personal email regularly to communicate with fellow directors and executive management; 48% use their personal PCs or other devices to download board books and company documents; and 22% of them store these documents long-term on their devices.
The survey also reports that despite the mounting risk surrounding board communications, the main driver in deciding how communications between a board and its company are conducted remains with the board chairmen and not the IT department -- making board members that much more susceptible to a data breach.