Written by Akshay Bhargava
When Honda was hit with a crippling cyberattack in early June 2020, the company had to shut down factories worldwide and other crucial operations. This incident demonstrates the challenge facing boards of directors of companies due to ransomware and other cyber threats each day. My company determined that the attack on Honda was aimed at the company’s internal networks.
Companies strive to stay abreast of the latest cybersecurity threats and the best strategies to respond to them. While we don’t know how the malware that attacked Honda entered the company’s network, a study conducted by Datrium (May 2020) found that remote working policies established in response to the Covid-19 pandemic can make businesses more vulnerable to ransomware attacks.
The impact of these cyberattacks makes it clear that there’s a need for cybersecurity expertise not merely in operations but also at the corporate board level.
The complexities of doing business in the world have increased. The globalization of the world has made all businesses more dependent on one another. Boards need to face the consequences of that interdependence and consider how to reduce or mitigate the new risks it has brought.
The current global pandemic has shone a light on risk, of course. Risks to the supply chain, to the company’s reputation, customer data, cash flow and, not least, employee health. However, none of those risks are new; the virus and by the interconnectedness of business today make them more acute. In the pandemic, if your supply chains break down, the impact is compounded.
The risks associated with cyberattacks are, in some ways, similar. Like a virus, this kind of risk mutates rapidly. Unlike a virus, there is human technological expertise behind it. Technical, malevolent, covert — a cyberattack can damage your company’s reputation or shut it down for good. In far too many cases, corporate boards are not prepared to keep up with the mutating risk from cyberattacks, and many boards often don’t realize their own responsibility for cybersecurity.
It’s understandable. In the past, when critical infrastructure was being built — electrical, water, utilities, the systems that operate nuclear power plants or the municipal water filtration system — they were isolated. The same was true of businesses. When the internet came along, all these services and companies that were created in isolation became connected.
This opened a pathway to attack the infrastructure and every connected business. Suddenly, cybercriminals could attack a company through its printers, website or employees’ phones. The connectedness has had a transformational effect on security, and businesses are learning how to respond. As cyberattacks constantly evolve, businesses struggle to learn in the face of ever-changing attack scenarios. Indeed, 50% of CEOs in North America worry that cyberattacks may hamper their businesses’ growth prospects, according to PwC’s Global CEO Survey.
That’s where the board plays a critical role. Given the broad responsibility that a board has for strategic planning and oversight, it sometimes needs to seek specific expertise. When a seat becomes vacant, a board may look for specific qualities in choosing a new board member — and the expertise it needs now is cybersecurity.
The eternal truths persist: The bottom line is paramount. However, a cyberattack poses a threat to that bottom line. It can cost in business downtime. If you lose customer data, it can cost you in reputation and intellectual property. It can put the survival of your company at risk. Dealing with this risk is a strategic and imperative challenge for the company.
And there is the rub. The challenge in dealing with this risk is that it is inherently technological. It really cannot be addressed without specialized expertise — expertise that has not been needed in the past and is in short supply in the present.
Companies need cybersecurity expertise, and specifically, they need it at the board level because dealing with these risks involves critical decisions that affect the future viability of the enterprise. You need to model risks and your response strategies, and the response must be holistic. You need to build a culture of security among your staff, run crisis scenarios, have recovery plans if your site is taken down and have informed cost estimates for everything. These measures require the kind of oversight and strategic planning that come under the responsibility of the board.
While a startup may accept existential risks that are unacceptable to an established company, if you’re Amazon, is it an acceptable risk that your site might be down for six hours? No. Is it an acceptable risk that 10% of your supply chain will be affected by a global pandemic? Perhaps. Your risk and response model must be developed out of a deep understanding of your unique business and its values.
There’s a less obvious reason for a company to put a cybersecurity expert on its board. Cybersecurity is, frequently, where the top talent is. This is driven by need; a cybersecurity executive has to be on the cutting edge of technology and innovation to stay a step ahead of the cybercriminals, who are among the quickest adopters of new technologies.
Every company needs to know about the latest technology and innovation to stay relevant and competitive, and a cybersecurity expert brings along expertise in areas like artificial intelligence, machine learning and automation as a bonus. One board member, multiple benefits.
Unfortunately, the easy solution — adding a cybersecurity expert to your board — is anything but easy. For starters, those experts are in short supply. Beyond that, what you really want is someone who understands your business in addition to having highly technical cybersecurity expertise. That person can be even harder to find. Yet whether you add a cybersecurity expert to your board or pull in expertise via consultative experts or partners, the board needs to be on top of cybersecurity.
What’s the prognosis? Will the majority of corporate boards be able to add the needed cybersecurity expertise anytime soon?
I think the prognosis is positive, driven by two forces.
First, boards are becoming increasingly aware of their need for cybersecurity expertise. They will seek the cybersecurity professionals they need.
Second, the cybersecurity industry is growing and will continue to grow, and that’s going to create many successful business executives who come from a cybersecurity background. The growth of that market will remedy the current dearth of expertise.
Ultimately, those two tailwinds are going to get cybersecurity executives on boards. That will be a good thing.
Akshay Bhargava is the Chief Product Officer at Malwarebytes, a Board Advisor at High-Tech startups and a member of the Forbes Technology Council.
Article also published on LinkedIn under Akshay’s profile.
Related post: Managing cyber risk to build resilient organisations
To go further: Cyber security, risk, and insurance for the board
Want to know more? NEDonBoard is a leading provider of educational content for non-executive directors and board members. Access our NED Library pages or email us your professional development needs at [email protected] to find out about our training courses.
If you are a first-time NED, we invite you to visit our NED Accelerator Programme by NEDonBoard course page. The NED Accelerator Programme is a uniquely designed programme combining fundamental governance knowledge and experience-based advice to secure NED roles confidently and successfully. You may also want to attend our complimentary webinar “How to secure your first NED role”. Register your attendance now at this link.