Cyber risk is one of the main challenges businesses face today.
Yet, according to the World Economic Forum, cybersecurity failure is still perceived as a short-term risk⏤increasingly leaving many vulnerable due to a "lack of readiness."
Whether you’re a tech leader or a board member, you share a responsibility to ensure the most important data is protected so that your business can move forward.
Kendra Ross is a cyber entrepreneur with a wealth of experience working on and with boards to highlight the importance of cyber resilience—here are her best tips for talking about the ‘S’ word (security) with your board.
Understand your risk profile
Every business is going to have a different risk profile.
The first place to start is understanding what that means for your organisation. Ask:
What are we protecting?
Why are we protecting it?
At the end of the day, this is what makes a viable business—your data. A smaller organisation may value their Instagram account as their most important asset, however this isn’t necessarily going to be the case the larger a business is. “It’s more likely going to be your supply chain,” says Kendra.
Formulate a cyber resilience plan
It's not just about your Plan A... what is actually more important is your Plan B and your Plan C.
After understanding the what and why, next comes to who. Who is responsible for what? Will you have to use a third party or do you have the resourcing internally?
Additionally, in the case of a data breach, your plan must include your response for when (not if) it happens. “No organisation, big or small, will be a hundred percent secure. That’s just not possible. Not when we’re in a digital world. Software has vulnerabilities. We’re doing business with multiple parties. We have lots of risk profiles in terms of the people as well as the technology,” explains Kendra.
This means to ask more questions in the event of an incident:
Who is going to be the comms person?
Will we front up to the media straightaway?
Hold the board accountable
“The board actually needs to be responsible,” says Kendra. “It starts at the top in terms of behaviour.”
When an incident occurs, the board will be the first port of call. They need to have a spokesperson, and they need to know what the plan is—especially what resources are available in terms of budget and people.
The board is accountable for their own cyber resilience, too. This means that it needs to start and be practised at the board level.
Kendra suggests considering if the board will be well-versed in having cybersecurity conversations in the first place, or if an external advisor is needed. Alternatively, the board should have people that are building their own security knowledge via courses, books, and podcasts.
Collaborate and communicate regularly with the board
It’s fundamental to have a “mutually respectful relationship” with your board to be able to prioritise cyber resilience.
“Making sure we are speaking the same language is going to be important,” says Kendra.
From a management point of view, it’s how you tell that story to the board—and it’s critical that you’re getting you message across by putting the board at the centre of the story. “Make them the heroes.”
Internally, set up a subcommittee for cybersecurity just as you would with health and safety or compensation plans, and include both management and board members.
Recognise the business opportunities
Cybersecurity is a competitive advantage. Kendra ends with encouraging businesses and boards to see the economic opportunities in securing your data.
It's an essential part of business strategy. "Trust is currency in the market and the more trust people have in your products, the more they're going to engage with your products and your services."
"We wanted a solution that was fit for purpose, reflecting our age and stage, while delivering the outcomes we wanted for our customers and people. After looking at what was available, Onwardly stood out as serving this purpose perfectly."