Do Boards Understand Cybersecurity?Corporate Leaders Need to Comprehend How Any Risk Could Jeopardize the Business
Many corporate boards of directors in India have made progress in recognizing cybersecurity as a priority. But clearly, they still have a lot of work to do.
See Also: Passwords Alone Aren't Enough
That was the consensus of security experts participating in a panel discussion at Information Security Media Group's recent Fraud and Breach Summit in Bengaluru.
"It is important for the board and security teams to work together, bringing about a culture and awareness on how threats could emerge in different forms."
"Enterprises have come a long way in dealing with security; every organization today has an enterprise risk management framework to deal with financial, social, security and multiple other risks as it causes business disruption," said Bithal Bhardwaj, CISO, international regions, for GE.
But, he added, "The board must understand the implications of cybersecurity in terms of the overall risk structure and be part of the risk management framework to understand how any risk could affect organizations and jeopardize business."
Need for Awareness
Ajay Kanwal, managing drector and CEO at Jana Small Finance Bank, said that although the financial industry is way ahead of other business sectors in dealing with cybersecurity challenges and meeting regulatory compliance, boards still need to improve their awareness of the issues.
"While understanding of compliance issues exists, a lot more education is required regarding the basics of security, including understanding how a malware affects the entire organization with an email compromise," Kanwal told summit attendees.
Sanjay Sahay, additional director general for the Karnataka Police, who chaired the session, noted: "It is important for the board and security teams to work together, bringing about a culture and awareness on how threats could emerge in different forms - whether through insiders, external hackers or malware invasions."
Winning Budgetary Support
Once boards actually take responsibility for assessing risks and overseeing data protection, CISOs will find it easier to win support for an adequate cybersecurity budget, Bhardwaj said at the summit.
"Large corporations still are regulatory and process driven, but the challenge lies with small and medium-sized businesses, which still have not been compromised by security breach situations," Kanwal said. "Hence, the senior management plays a significant role in bringing about awareness."
Bhardwaj pointed out that the security environment is changing as IoT and other smart devices become more common in enterprises. "It's time to enhance policing and ensure that teams ask the right questions to bring regulatory controls across the enterprise's spectrum and build the value of security as a business enabler," he said.
All boards should take steps to ensure that they have at least one board member with expertise in technology to help it make the right budgetary decisions for security, Sahay said.
While understanding risks is critical, boards also should also take the responsibility for helping eliminate any obstacles to the smooth functioning of security operations.