by Dawn Dunkerley
Contributing Editor

Simple isn’t easy and technical language doesn’t make you smart – an approach to managing cybersecurity risk in the board room (2ndin a three-part series)

Whose job is cybersecurity really?

When we mention cybersecurity to senior executives at a client or prospect, we are often shown the directions to the IT department and hurried away before anything too technical can be uttered and the chance an executive or board member is put in an uncomfortable position is eliminated.  IT definitely plays a role in executing cybersecurity imperatives and should serve as the threat detector, policy creator, and systems architect which underpin securing infrastructure. Yet, there is not enough money or time in the world to keep current on every vulnerability and all the permutations that can be used to exploit an organization’s network.

So, is the operations group responsible for cybersecurity just like they are responsible for the physical safety of workers or economic success? Yes, but hopefully in a value-based, risk-balanced way. Miners wear hard hats, but to be truly safe from head injury, they should stay home, far away from potential falling rocks or objects. There should be a healthy push and pull within operations to ensure an organization walks the line between locking down systems through process, technology, training/standards and carrying out their core operational tasks efficiently.

The CFO or risk managers look after insurance policies, and this (hopefully) includes business interruption insurance related to cyber events. Therefore, wouldn’t this be the department that owns cybersecurity across the business? Well… a CFO should consider risk in all its forms, including hedging against market shifts/shocks through protecting against lost time caused by cyber-attack. The analysis of value at risk requires the detailed eye of a finance department using a standard methodology for quantifying risks, cyber or otherwise, and making tradeoffs based on data. That said, it is likely, for example, a hotel chain carries a property policy with a top-rated insurance carrier should fire damage their facilities. The insurance payment will greatly aid in offsetting a loss but will do little to nothing when the work involved in cleaning up the literal ashes pulls resources from elsewhere in the organization.

Who, then, is left with accountability for cybersecurity? The CEO and the Board of Directors (read: you). Cyber risk is business risk. It takes the vantage point of the board to truly supervise scarce resources (people, capital, time, etc.) and be effective in mitigation, prevention, response, and remediation efforts. Whether a factory burns down, a worker is severely injured, or a transportation network is ground to a halt by some smart kids in a basement overseas, the impact is the same, and ignorance to technical detail is seldom an accepted excuse. In the last blog of this series, we will address the question, “Where do we start and what do we ask?