Boards and Cyber Risk

it boards have had a lot on their Minds when it comes to risk these past few years from the pandemic to supply chain risks to the war in Ukraine to the threat of a recession, but there’s one risk that should remain top of mind at all times and that’s cyber risk and it’s cyber risk, not only within the board’s company, but within that company’s ecosystem of vendors and customers and even the governments in who’s countries, they do business. What’s your cyber risk backup plan? For this discussion. I’m joined by sudhir condesetti Consulting principal and National Information Technology risk leader for RSM so dear. Can you provide us a landscape view of potential infrastructure risks and concerns around cyber risk? Sure. Thank you. You know, it’s changed over the the last decade it used to be focused cyber risk was focused on building a perimeter defense, right? So the firewalls the the external devices, so to protect your internal data and systems. Well what we’ve seen now with the growth of cloud applications and data center Outsourcing is that there is very little information that’s stored exclusively on premise of an organization. So what we’ve seen in the last few years is a refocus on how are you protecting your data wherever it is.

So Cloud due diligence data center due diligence vendor risk management really looking at all the possible attack factors for from an intruder not only yourself but all your vendors and that’s been the biggest See change we’ve seen in cybersecurity in the last 10 years. Well you serve on the RSM board of directors which gives you a unique perspective on how boards can look at such risks. What do you recommend boards do to get ready ready for those kinds of risks those those cloud and not off-premise risks? It’s twofold number one is you really need to dig into what your Security Department in your it Department are doing if you get an answer in your inquiries with them. That they’re saying they’ve just outsourced it. So everything’s fine. They don’t have to worry about the problem. That is the product. That is a problem. Right? You have to make sure their understanding that the their responsibility around security does not stop when they’ve outsourced it.

So they need to dig into what are they doing to perform the due diligence on their vendors? What are is their responsibility as opposed to their vendors responsibility and then all so most attacks occur. They originate from inside meaning someone’s desktop or mobile device is compromised and it sends information out. So that person may have trusted access to an application in the cloud and they’re pulling data down and now that’s available so they still have a responsibility on the inside internal network, but I think the most important Important thing is security is not absolute. I think we’ve seen that when major, you know Fortune 100 companies who have spent millions of dollars on security infrastructure and Personnel When government agencies when when they’ve been hacked and suffered data loss. It the idea must now be it’s not a matter of if we’re gonna be hacked. It’s when we are and when are we going to be in a position where we could suffer data laws? So having a good plan in place to respond to an intrusion is really important a breach is a big deal. We don’t like to use that word breach until it really is a breach but knowing how do I identify it having a plan in place knowing who you’re gonna call that’s all important to have built out before such an incident happens. I use the analogy of a disaster, right? It used to be what do you do when the hurricane hits and we have to rebuild the data center and our offices now, it’s what do we do? What’s our plan if a hacker breaks into our systems and steals?

Or immobilizes them through a ransomware attack. You have to have the plan in place. Do you recommend that a board goes through an incident response drill or a tabletop exercise on a breach to help sort of exercise the muscles absolutely just like you do with the disaster right you go through the exercise don’t actually have to call the behind you don’t actually have to execute the plan. But yes a tabletop exercise making sure people are are available. We have had I’ve seen some clients actually pull the plug on the internet now not during an active time and there are plenty of businesses that are open and operating 24 hours a day, but those that can operate our only operating from predominantly a business hours. They can take that step of actually disconnecting and see what happens because that does give you a little bit of extra protection and understanding of okay if this system Is down, how does it affect other systems?

- Advertisement -

So that is and I would go so far to investigate if that’s possible. But if not a tabletop exercise with all the parties involved, that’s a great idea. So what key takeaways do you have for board members then as they think about cyber risk, you know, it’s it’s easy to say this is too technically complicated. What can they do to be better at this? I’d say one important thing is when you’re selecting board members. Have someone who on the board who’s technically Savvy now that does not mean they have to be an in a security engineer or a hardcore programmer anything like that, but they have a background in understanding of Technology. That’s number one. Number two, I would have regular updates from the security office or if you don’t have a security office the CIO on what is happening on the security front. We for example have a quarterly meeting with our CIO and CSO concurrently in our in one of our committees and then they do an annual presentation to the board. But this is this allows us to see Trends on what’s Happening what struggles they’re facing what new technology they’re putting in place security is always changing and you have to have that steady rhythm of communication. From management to really understand what’s happening.

About the Author(s)

directorsandboards

Gregory P. Shea, Ph.D., is adjunct professor of management and senior fellow at the Wharton Center for Leadership and Change Management, and adjunct senior fellow of the Leonard Davis Institute of Health Economics at the Wharton School.


This is your 1st of 5 free articles this month.

Introductory offer: Unlimited digital access for $20/month
4
Articles Remaining
Already a subscriber? Please sign in here.

Related Articles

Navigate the Boardroom

Sign up for the Directors & Boards weekly newsletter for the latest news, trends and analysis impacting public company boardrooms.