It wasn’t too long ago that cyber security wasn’t even on the radar of most senior executives and boards of directors. The security team sat somewhere deep within in the IT organization and as they worked diligently to secure firewalls and block viruses, they didn’t get much face time with the company’s most senior leadership.
Today however, we’re seeing an increasing amount of interest in security from boards and it’s becoming a must-have item on the agenda of every board meeting.
So what’s changed?
The infamous Target breach back in December 2013 and other recent highly publicized breaches to major brands like Home Depot and Sony have played a big part. Not only have they elevated the public’s awareness of security breaches and their impacts, they have also shined a spotlight on how senior executives can be personally liable to their shareholders – both with their careers and potentially even their personal finances.
Breaches like Target’s can cost CEOs and CIOs their jobs, but board members can be at risk too. Shortly after the breach, a report by consulting firm Institutional Shareholder Services (ISS), which works on behalf of institutional shareholders regarding corporate governance, went so far as to suggest that Target should also replace 7 of the 10 members of its board of directors.
ISS noted that Target “provides little disclosure of the risk assessment process conducted by the committees or the board that would assure shareholders of a robust risk identification and oversight program. What may be of concern to shareholders is the failure of these committees, and possibly by extension the full board, to recognize the potential threat faced by the company.”[1]
Cyber security breaches can have a massive impact to the bottom line of an organization as well as its stock price. Although board members may not be expected to be security experts, it is their fiduciary responsibility to understand the all of the risks to their organization and what measures are in place to protect it.
So does IT security really have the full attention of the board? If so, how does that impact the security organization? What expectations do board members have and what information do they now require? Michael Argast from TELUS Security Solutions recently interviewed Ken Haertling, one of Canada’s leading CISOs on his experiences and tips on working with TELUS’ board of directors.
Watch the full interview here.
[1] ISS Proxy Advisory Services. (2014) Target Corporation. Retrieved from http://docs.ismgcorp.com/files/external/TGT_2014.pdf