Summary.
During our research, we asked cybersecurity leaders, board directors and other subject matter experts about board cybersecurity discussions and the reporting given to boards in preparation for these discussions. All respondents had strong opinions about cybersecurity boardroom discussions. Generally, participants agreed that boards had a difficult time discussing cybersecurity at a meaningful level, the board needed different information, and a new approach was necessary.
By now most boards know that cybersecurity is a business risk that they must oversee and ensure proper mitigations are in place. In an earlier article, we described the conversations the boards must have to perform this role. We made a case for discussing cyber resilience instead of cyber protection. Organizations cannot protect themselves enough to simply rely on additional investments in protection. Certainly, protecting assets, systems, and data is critically important, but as continued headlines have shown, focusing on protection is just not enough. Companies, and the boards that oversee them, have failed to find the right way to be protected enough (as evidenced by the constant headlines sharing the latest innovative breach on the under protected organization). Instead, we advocate that boards must have conversations about resilience, not just about protection.