Over the past 12 months, most board agendas have been largely focused on dealing with business continuity during the pandemic. Yet, this shouldn’t be an excuse to forget any obligations to cybersecurity. In fact, according to Gartner, 40% of boards of directors will have a dedicated cybersecurity committee by 2025. It’s proof that board members are finally waking up to the real risks that cybersecurity threats can pose to companies of all sizes, and that securing sensitive information is not solely an issue for IT teams.
Where should the board be directing its attention?
Unfortunately, less than half of data security and risk executives feel confident that their company is dedicating enough resources to properly secure against potential cyberattacks. Cybersecurity may sound like a topic that only IT or security experts can deal with, yet the reality is that board members are essential in making sure a company is sufficiently protected. Cyberattacks can result in reputational damage along with legal and operational issues, which may impact the entire company in the form of a regulatory fine or loss of brand reputation among customers as well as partners and suppliers.
The key is communication; board members need to be confident and ensure that sensitive data is being protected. This is achieved by stressing the importance of, and embracing, a data-centric security strategy. This message and responsibility should also flow to all department levels across the business. Organizations need to be focusing on where and how they are securing data, especially with the rise of digital transformation and regulatory requirements like PCI DSS, HIPAA, GDPR and CCPA. Now, the momentum is picking up as boards of directors are forming special committees dedicated to combat cyber risks. These committees provide a space to discuss cybersecurity matters, while including all levels/sectors within a company. This is an important step to move away from the IT-centric focus many companies still operate under.
Why data-centric security?
Throughout the past several years, we have seen a massive shift to digitization and use of the cloud. This puts sensitive data at risk, as companies often still implement a perimeter-focused security strategy, leaving their information vulnerable to cybercriminals who manage to breach traditional perimeter security controls. It is essential for organizations to start building a comprehensive security strategy that focuses its efforts on protecting an organization’s most sensitive asset: Personally Identifiable Information (PII). All data must be secured from unauthorized access, no matter what size a company may be. One example is Identity and Access Management (IAM), which has been proven to be a most effective approach by assigning roles to specific users and granting specific permissions. Over time, these role assignments and permissions should be regularly reassessed, to make sure the data is constantly secure. It is fundamental to protect sensitive data when moving between on-premises and the cloud and invest in a security strategy that leaves no room for cybercriminals to squeeze past.
Securing a company from potential cyber threats should not only fall to the IT department. Board members need to be data security advocates. They must continue to take responsibility and involve themselves in building an extensive security strategy that protects their customers, partners, and their own internal sensitive data. Communication is essential between the board, management and security team levels, and organizations need to take a proactive stance. Companies are only as strong as their weakest link and when it comes to confidential information, we all know it’s better to be secure than sorry!