The Role of the Board and Senior Management in Developing a Cyber Security Strategy
The financial sector is one of the most critical cyber infrastructures of the United States according to the Dept. of Homeland security, and therefore a multi-prong approach should be employed to secure critical resources within the financial services industry. Developing and implementing an effective cybersecurity strategy is critical to meeting business objectives since cybersecurity has become a boardroom agenda and needs to be approached as an enterprise risk management issue and not as a technical or technology problem.
I believe senior management and the board should play an extensive and critical role working with the Chief Information Security Officers (CISOs) and Chief Risk Officers to help craft the strategy by identifying which risks to avoid and allocating adequate resources to address the critical cyber risks. Their involvement will help put a strategy in place to reduce the residual risks while increasing security / protection of critical resources. Cyber security immensely affects a business and has to be approached as such, hence the involvement for senior management and board members with the security technology leaders within the organization enables them to understand the overall risk profile of the organization and allow them to make the right decisions in resource allocation. When senior management and the board are committed and involved, it makes it easy for CISOs to acquire the resources (primarily budget) they need to implement the appropriate and effective security controls to enable the business and deliver quality services and products to customers in a secure manner. Their involvement also sends a strong and positive message to the rest of the organization and industry as a whole. This can even enhance the confidence level of your customers and enhance the image of the organization to potential business partners.
Without the right amount of involvement, commitment or the absence of them ultimately renders the strategy ineffective. There are also legal implications with cybersecurity risks which can further affect the reputation of the organization and huge financial loss, and eventually negatively impact the earnings per share of the organization if publicly traded. This makes it critical for the board of directors and senior management to have cybersecurity front and center and effectively address any issues that might negatively affect the organization and plan. Resources should be readily available to address any current and emerging threats and risks to the organization. Cybersecurity risk is gradually becoming the number area of concern, with all the cyber-attacks and how organizations rely solely on the internet (cloud services storing sensitive and critical customer, employee and corporate information) and poses a huge risk. I will recommend the board and senior management hold periodic and frequent cybersecurity risk meetings separately with the cybersecurity and technology risk executives to ensure adequate time, staffing and budget is allocated to address critical cybersecurity risk issues and to ensure the most effective and sustaining strategy is put in place.
I hope this provides some insight on the relationship between the board and senior management with CISOs and Chief Risks Officers to implement the most effective and sustaining cybersecurity strategy.