Why Your Board of Directors Needs to Be Involved in Cybersecurity

While the board of directors is not directly responsible for the security of the organization, the cybersecurity culture, organizational structure, organization’s governance model all play an important role in defining the overall cyber health of an organization.

The ability to make informed and optimal investments in cyber risk mitigation is something every senior executive should have.

With news of data breaches, ransomware attacks, and zero-day vulnerabilities making headlines, cybersecurity is likely appearing even more frequently on the agenda in many board meetings.

But while cybersecurity is now on the agenda, this doesn’t mean that board directors understand how to tackle the issue. After all, most board members have expertise in other forms of risk, and not necessarily in how to protect corporate assets from nation-state attackers and highly organized cyber adversaries.

The good news is that there are several practical steps directors can take to protect their organizations:

1. Cyber Governance

The first question for your board of directors should be: Who owns the management of the cybersecurity risk at the board level and management level?

Typically, boards delegate cybersecurity oversight to the audit committee—or to the risk committee if one is part of the board’s governance structure—for a more concentrated review, with periodic reports to the full board. Others approach cybersecurity as a matter to be overseen by the full board. Company size, industry, and existing board risk management structures will dictate the best approach.

While security executives have a reputation for complicating operations and product development with the burdens of technical operations, their role is actually to enable business. By including them in the discussions about your immediate and long-term business priorities, customer issues, and overall strategies, your directors can ensure that the company’s security plan aligns with the company’s business goals.

2. Cybersecurity Strategy and Risk Oversight

Too often, IT presents boards with cybersecurity reports that are technical but lack an enterprise-wide strategic overlay. For effective oversight, your board should hold senior management accountable to ensure that a clear and concise cybersecurity strategy is in place. This must be done along with the systems and controls needed to account for successful implementation. Most importantly, a concise, high-level cybersecurity strategic plan must be agreed to by the board and senior management.

3. Risk-based Strategy

Instead of a prevention-based approach, cybersecurity strategy has evolved to a risk-based approach. Effective cyber strategies now allocate security resources around a company’s information and processes, with additional layers of protection around the most valuable assets.

Your board should consider seeking regular, independent third-party reviews on strategic best practices for companies with similar industry, size, and risk profile.

4. Plan ahead for security incidents

You should accept that despite your best defensive efforts, your company will likely be breached at some point. Therefore, your board needs to ask about your company’s incident response plan and ensure that it is current and that contingencies exist for extreme scenarios, multiple incidents, or when third parties are affected.

Make sure that the plan is thorough: marketing, crisis communication, risk mitigation, and decision making in the moment can be overwhelming and lead to errors.

5. Compliance

For the foreseeable future, cyber risks are potentially more consequential than other enterprise-significant risks. It is important that the general counsel, internal audits and Enterprise Risk Management (ERM) give cybersecurity a high priority.

Increasingly, cybersecurity is becoming more of a legal and regulatory area where the general counsel’s lead on assuring disclosures, full understanding of legal risks and adequate crisis management plans will be critical.

6. Focus on culture as well as technology

Security is so much more than purchasing antivirus software and conducting penetration testing. It also entails changing corporate culture. and helping employees realize that the duty of keeping intellectual property, customer information, and other business data safe isn’t limited to security and IT personnel. It’s a task that requires the full effort of the entire company.

Ideally, board directors should eliminate obstacles that prevent organizations from developing a culture of proactive cybersecurity. Without strong support from executive management and the board, companies are unlikely to develop strong cybersecurity practices.

7. Pick the right tools

Sending board documents via e-mail or courier could mean losing control of your most sensitive documents. You cannot control that the board pack and other documents reach your board members. At the same time, you don’t know what happens to the documents after they reach their rightful recipients.

When using a board portal like Convene, you are in complete control of the distribution process of your company’s most sensitive information. By using Convene, you ensure everything takes place within a secure and encrypted platform, only accessible for authorized users. Moreover, Convene’s multi-layered approach offers users high levels of data protection, access control, availability, and application security.

More than just a secure distribution channel, Convene is also a safe and effective collaboration and communication tool for the board members before, during and after the board meetings.

Your board members can take notes and annotations and choose to share their notes with other users within the portal. At the same time, Convene’s Conversations feature makes possible secure communication and collaboration between directors.

Convene for Your Board

Using a board portal like Convene means increasing control, not just over the distribution of board documents, but throughout the process and at all stages. This is ensured by features such as:

• Multi-factor authentication

Access to Convene can be restricted to registered devices and browsers. Additionally, before a user can log-in to Convene, a verification code must be entered.

• Role-based control

System Administrators are able to grant access rights depending on each user’s role. Meeting organizers can also assign meeting roles to meeting participants. These roles define and limit what participants can do during Live Meetings and with the board material.

• Watermarks

An additional layer of security can be added to documents with a customizable watermark. Watermarks discourage people from misusing file contents, and helps identify if the document is an original or a copy.

• User log and activities

Administrators can track all activity at any level within the application. This includes login attempts, file downloads, meeting updates and changes in user profiles.

• Copy restrictions

To minimize exposure of customer data, Convene prevents the copying of documents’ content to other applications.

• Remote Data Wipe

Using Convene means you can take some of the horrors out of losing your device. The remote-wipe feature allows you to remotely remove your most business-critical documents from the device on a permanent basis.

When it comes to security in the boardroom, our excellent track record of over 25 years is a testament of our unparalleled performance in the IT industry.

Want to find out more? Download our White Paper on Combating Cybersecurity Risks in the Boardroom or get in touch today to find out how Convene is the safe choice for your company.

Read also about our security features that will protect your board from data leaks and cybersecurity threats.