It’s 2019. By now, your board of directors is probably aware of the importance of cybersecurity and information technology. But the increased emphasis surrounding the rapidly-evolving digital landscape is nothing new. Deloitte’s 2016 Board Best Practices Report found that 8% of boards considered “Technology and Data Analytics” among their top three priorities for the coming year. 22% of boards listed “Cybersecurity” in their top three priorities (up 6% from their 2014 report). But is increasing emphasis on cybersecurity and information technology (IT) oversight enough to warrant the chartering of a committee? Let’s find out if your board needs a cybersecurity committee, IT committee, or both!
What Does Cybersecurity Encompass?
Cybersecurity encompasses the safety and security of any information or communications which exist in the digital space. It’s a long-winded way of saying you stand to lose a lot more than just your password in the event of a breach. Hackers and fraudsters can gain access to names, email addresses, phone numbers, credit card numbers, bank information, sensitive emails, and an organization’s confidential data. The information that stands to be compromised during a cyberattack varies by organization and industry.
But one thing remains constant. It’s never information you want in the wrong hands. While strong cybersecurity often requires an organization to employ digital defenses, physical defenses cannot be overlooked. Without proper security, the enterprising hacker must simply wait until one of your employees leaves their computer unattended while they place their coffee orders, run to the bathroom, or step outside to take a call. It takes less than 15 seconds for a hacker to transfer data from an unattended company computer onto a USB memory stick. In some cases, an organization’s cybersecurity may be compromised by natural disasters. Power outages, flooding, blizzards, and other inclement weather conditions may place an organization’s data at risk if its servers go down without a proper backup in place.
Hackers may also choose to target an organization’s data centers directly. Breaching a company’s servers can give a skilled hacker carte blanche access to your most confidential data. The opportunities for hackers to breach a company’s cybersecurity have grown as access to wireless internet has spread to more devices. In 2018, a hacker was able to manipulate an army of 18,000 devices connected to the Internet of Things (IoT) — devices such as smart fridges, app-controlled light switches, Amazon Echos; even some pacemakers! If this sounds terrifying, that’s because it is. The threat of a well-coordinated cyberattack carries devastating consequences with more vulnerabilities being discovered by the day. Let’s discuss what a cybersecurity committee can do to mitigate the risks.
Read more:
- A Cybersecurity Overview for University Board Members
- Cyber Security Becomes a Boardroom Priority
- Boardroom Information Security Questions
The Role of a Cybersecurity Committee
The committee responsible for addressing cybersecurity within your organization may be referred to as the “cybersecurity” committee, but some organizations prefer the term “cyber-risk”. In some cases, an organization’s cybersecurity obligations may be delegated to the “risk committee”, broadening the scope of responsibility.
To best address an organization’s cybersecurity concerns, the cybersecurity committee must assess the company’s risk profile. This often entails a detailed examination or audit of a company’s digital vulnerabilities, existing defenses, and areas of improvement. As a general best practice, many companies opt for a standard palette of cyberdefenses such as a data retention and deletion policy, disabling USB and external storage capabilities, and implementing a VPN for remote workers.
A cybersecurity committee is often tasked with overseeing the development and implementation of an organization’s cybersecurity policy, laying out the standards to which employees must adhere to mitigate the company’s vulnerability. This policy often includes the protocols for detecting and reporting suspicious emails, using a work computer in public places, and proper storage for devices when left unattended (in a car, purse, etc.). Strong cybersecurity requires a group effort. The changes a cybersecurity committee oversees will only be as successful as their implementation.
Cybersecurity committees will almost always be responsible for overseeing the development of procedures for a variety of “worst case scenarios”. What do we do in case of a breach? What happens if our data center is flooded? What does damage control look like, both internally and externally? These are all things the committee must consider when coordinating response procedures. Of course, this will likely mean working closely with cybersecurity experts both inside and outside of the organization. Expert knowledge goes a long way to ensuring that an organization has mitigated its risk of a cyberattack.
A lot of risk and responsibility is weighted on the shoulders of a cybersecurity committee. The stronger the committee, the more effectively they will be able to live up to their responsibility. Committee members will need to have a combination of expert knowledge and cybersecurity experience. A small group is often able to operate more efficiently. Maximizing the committee’s decision-making effectiveness gives them their best shot at taking on the enormous challenge of implementing strong cybersecurity defenses.
What’s Included in Information Technology?
While it’s not the most accurate definition, it may be easiest to think of “information technology” as the physical and digital infrastructure that “cybersecurity” works to defend. More specifically, “information technology” describes the use of physical devices and networks to store, process, and exchange data. This includes devices such as computers, servers, and storage systems as well as the software and operating systems those devices employ. This also includes the databases used to store the data used in an organization’s day-to-day operations and recall that data for use as needed. An organization’s information technology is a complex and delicate infrastructure that spans both the physical and digital space. In most cases, it takes a team of well-trained experts to keep it all running smoothly.
Read more:
- All Boards Need Tech Expertise
- Technology and Nonprofit Boards: 3 Ways Tech Can Move You Forward
- Technology Makes for Better Banking Boards
- How Artificial Intelligence Will Change the Boardroom
- What Bank Boards Lose When They Use the Wrong Technology
The Role of an IT Committee
For organizations with an effective IT team, the role of an IT committee is fairly straightforward: overseeing their operations, expenses, planning, and strategies. This is not to say “micromanaging” and organization’s IT team, but rather, ensuring that their current and future operations are aligned with the priorities, requirements, and desired growth of the company. Reviewing the expenses of an organization’s IT team often means working with employees to determine which devices and improvements to a company’s digital infrastructure will yield the best return on investment. Both cybersecurity committees and IT committees are often required to oversee the development and implementation of standards and protocols to which an organization’s employees must adhere. Both committees are also typically held responsible for investigating and reporting on incidences, outages, and breaches as necessary.
Does Your Board Need Both?
To be clear, there’s nothing wrong with chartering a separate committee for IT and cybersecurity. However, the larger the pool of decision-makers and influencer grows, the harder it can be to make focused, effective decisions. Focusing your resources and efforts on developing a single, highly-effective committee can be a great option for any board concerned with stretching itself too thin. If you find yourself needing to choose between the two, a cybersecurity committee is often the better choice.
Most organizations have, at the very least, a small team of employees dedicated to overseeing information technology. Few, however, make an equal investment in recruiting employees for cybersecurity operations. Strong communication between a board of directors and an organization’s IT managers may eliminate the need for chartering an IT committee. Fulfilling the daunting and consequential duties of cybersecurity is often a little more involved and there is very little overlap between the breadth of these responsibilities and an IT team’s day-to-day operations. For this reason, it’s often best to prioritize the chartering of an effective cybersecurity committee over an information technology committee when your board is in a position to choose between the two.Of course, if your board wants to ensure that its committees are equipped to maximize their decision-making effectiveness, Directorpoint’s Board Management Software is here to help. Want to learn more about what we’re doing to help organizations make better decisions across the board? Schedule a software demo today! You can also contact us online or over the phone at (888) 492-7020.