banner image
Article

Elevating Cybersecurity to the Boardroom

This article comes from Paperjam published in July 2024.

 

In today’s digital era, the responsibility for overseeing cyber-risk management in modern organisations is increasingly falling on the shoulders of Boards of Directors. However, evidence indicates a concerning trend: boards are not nearly as engaged in cybersecurity as they are in other critical areas of oversight. This disengagement poses a significant threat to the very foundation of organisational security.

The Current State of Cybersecurity Oversight

Traditionally, directors have focused their attention on financial performance, regulatory compliance, and strategic growth. Cybersecurity, despite its growing importance, often remains a marginal concern. This lack of engagement can be partially attributed to the multifaceted roles that many board members juggle. Directors holding multiple board positions may struggle to dedicate sufficient attention to cybersecurity issues in any single organisation.

The Impact of High-Profile Breaches

Organisational factors, such as the mediatic nature of cyber breaches, play a significant role in driving director engagement. High-profile cyber incidents make headlines and bring public scrutiny, compelling boards to react. However, this reactive approach is insufficient. Boards need to adopt a proactive stance, integrating cybersecurity into their strategic oversight regularly, not just when a crisis strikes.

A notable development in this regard is the emergence of ‘push reporting’ in cybersecurity. This approach involves regular, structured reports on cybersecurity status and risks being pushed to the board. Such systematic reporting can significantly enhance board members’ awareness and understanding of cyber threats, promoting a more proactive and informed approach to cybersecurity governance.

Regulatory Pressures and the Need for Cyber-Savvy Directors

New regulations, such as the Digital Operational Resilience Act (DORA) and the Network and Information Systems Directive (NIS2), are raising the stakes. These mandates require management and boards to take accountability for cybersecurity, making it imperative for board members to be adept in cyber-risk management.

Under these regulations, ignorance is no longer an excuse. Boards must ensure they have the necessary expertise to oversee cybersecurity effectively. This calls for the inclusion of directors who are well-versed in cyber risks and can address them effectively at the board level.

The Path Forward: Building Cyber-Resilient Boards

To build a cyber-resilient board, organisations need to take several critical steps:

1. Recruit Cyber-Savvy Directors: Boards should seek out members with a strong background in cybersecurity. This might involve recruiting former CISOs, IT leaders, or experts with experience in managing cyber risks.

2. Continuous Education: Cyber threats are constantly evolving. Regular training and education sessions can help directors stay updated on the latest threats and best practices in cybersecurity.

3. Enhance Reporting Mechanisms: Implementing structured, regular cybersecurity reporting to the board can keep directors informed and engaged. This includes not only reporting on incidents but also on the organisation’s overall cyber health and risk posture.

4. Foster a Cybersecurity Culture: Boards should promote a culture of cybersecurity throughout the organisation. This involves setting the tone at the top and ensuring that cybersecurity is integrated into the organisational strategy.

5. Establish Clear Cybersecurity Strategy: Boards should ensure that comprehensive cybersecurity strategy is in place. These policies should outline roles and responsibilities, incident response protocols, and regular risk assessments to maintain a robust cybersecurity posture.  

As cyber threats continue to escalate in frequency and sophistication, the role of the Board of Directors in overseeing cyber-risk management has never been more critical. By taking a proactive stance and ensuring they have the necessary expertise, boards can safeguard their organisations against cyber threats and steer them toward a secure digital future. With regulations like DORA and NIS2 underscoring the need for accountability, the time for directors to elevate their engagement with cybersecurity is now.

Organisations looking to enhance their board’s cybersecurity capabilities can benefit from the expertise of advisory firms like Grant Thornton. With extensive experience in guiding management and board members, Grant Thornton Luxembourg provides the necessary insights and strategies to build a cyber-resilient organisation. Their expertise ensures that boards are not only compliant with new regulations but also capable of effectively managing cyber risks at the highest level.

 

With more than 340 people and 20 partners, Grant Thornton Luxembourg is a leading provider of Audit, Tax & Accounting, Advisory, Financial Services and Technology services for all types of entities in Luxembourg.

Copy text of article