Our business environment is evolving and regulation are now part of our everyday life on the enterprise not only on BIG companies that operates in a highly regulated nature but also on small and medium businesses. Through the introduction of the data privacy act and GDPR of EU people are now more conscious of privacy on data processors and their subscribers.
Our management committee and members of the board of directors are more involved than ever in discussions and strategy around their PIIs and cybersecurity and the solutions needed to prevent being the next BIG breach.
The questions we are asking are no longer as simple as “are we secure?” but more to the tune of “are we doing all we can to minimize or transfer the risk, and what do we do in the case of a breach?”
Because of regulation such as the Data Privacy Act (DPA) and EU’s General Data Protection Regulation (GDPR) our management or the board of the directors need to understand more about this regulations and INFOSEC more. Most of the time our CIOs / CTOs and if you have a CISO cannot articulate what the board needs on security and its impact to the business. As IT Executives we need to relay to the board:
- The assets and service that they cannot go without – this means their crown jewels
- The security drivers and risks.
- Risk Assessment and the enterprise response to the risk to ensure survival, continuity and organization’s safety
Our board should ask the questions such as:
- Are we demonstrating the appropriate level of due diligence, ownership, and effective management of cyber security risk that we owe to our organization and to our shareholders?
- What is our risk appetite if ever a breach happens to us? To what degree are we discussing cyber security risk management in relations to business continuity and the threats to our organization over the past years?
- Is our prioritization and level of engagement on the topic of cyber security consistent with our perceived level of overall risk to the organization?
- Does our Board need to play a more active role in determining our organizations cyber security strategy? If so, in what way?
- Have any of our board members attended formal governance training specific to cyber security risk management? Should this be a requirement/option for some or all board members?
Start your long-term search for this board member now, as it may take a long time to find the candidate with the right qualifications, cultural fit, and of course the availability to take the spot.