Dave Nelson, CISSP, is president and CEO of Integrity.
Individuals serving as officers or directors of an organization have a responsibility to investors and clients to ensure that the organization is being run well. This includes multiple facets of the organization’s operations such as finance, regulatory compliance, people management and risk management. There is so much responsibility placed on these individuals that an entire insurance market is devoted to protecting them through the sale of officer and director liability policies. Evidently the roles of officers and directors are so important that a mistake in their judgment could create significant losses. Why is it, then, that so many in this role continue to allow a blind spot in their oversight to exist? This blind spot is information security.
Officers and directors need to take a more active role in assessing how well organizations are handling the threat of a data breach. Here are some practical examples of steps that can be taken to provide board-level visibility into cybersecurity preparedness.
- Implement an IT risk management program to identify, classify, track and address technology risks within the organization. This not only helps identify risks but also provides a prioritized action list to ensure time and money are being spent on the largest risks, not just pet projects.
- Require a quarterly or semiannual report on cybersecurity including any incidents, performance metrics or other data to ensure progress is being made toward your security goals, and that a positive return on investment is being realized for information security expenditures.
- Ensure the individual responsible for information security has at least a dotted-line reporting structure outside of the technology group. This is extremely important to ensure that security voice is heard and not squashed by the very management it is reporting on.
- Require that a robust incident response plan be generated with predefined team members, third-party experts and general counsel. The time to determine how to respond to a breach is not during the breach. Test the plan annually in order to continually adapt to changes in business practices or regulatory requirements.
- Use a common information security framework such as NIST, ISO, HITRUST or PCI to guide security activities and expenditures. These frameworks have been fully vetted over the years and ensure a consistent approach to information security.
- Consider using an external security firm to perform a security assessment to ensure the standard of due care and due diligence have been met.
Officers and directors will be called upon more frequently to defend an organization’s information security practices as legal proceedings increase due to data breaches. By requiring a basic level of protection and receiving regular updates on security activities, board members will be better prepared to answer questions about the maturity of their organization’s cybersecurity posture.