How to Oversee Cybersecurity as a Board Member

You’re a Board Member. You have been elected to a Board seat based on your communications skills, business acumen, and ability to think strategically. Congratulations, you have arrived!

Now, it is your duty to impart wisdom and guidance to properly steer the financial institution. This means reading about, digging into, processing, and fully understanding ALL aspects of the bank or credit union you are on the hook to oversee.

The problem is nobody can be an expert in all functional areas within a financial institution; one of those areas being cybersecurity.

There is a bill in Congress (S.536) that aims to require cybersecurity expertise on Boards. This will give parts of the Board that are not cybersecurity savvy some internal expertise to lean on.

The Act would require companies “to disclose whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience”.

It seems to be only a matter of time before laws like this one, will require cybersecurity expertise on Boards. Until then, other Board members will have to be independently educated on cybersecurity.

One of the biggest problems that we at Rivial witness is a disconnect between the technical cybersecurity people, the business-minded executives, and the Board members within companies. A large percentage of cybersecurity people have a background in IT. Whether they were a network engineer or a systems administrator, it is a natural progression for those who are intrigued by protection to gravitate to cybersecurity. The vast majority of financial institution executives and Board members are business people, who lean heavily toward finance.

The key for a successful institution is to bridge the gap between these two specialties.

The first step in bridging the gap is through better reporting.

Remove Vanity Metrics

Most cybersecurity reports we review in our risk assessment and IT compliance services metrics about security tools, which mean well but are essentially useless.

Don’t get us wrong; we think somebody should be looking at the number of spam messages blocked every month, but that somebody should not be the Board of Directors. The Board has very limited time and brain power to devote to cybersecurity. The Board shouldn’t be bogged down with data that doesn’t support a decision or action.

As a Board member, you should ask the cybersecurity staff to scrutinize any metrics in the report and ask the questions: how is this information useful to the Board, and can they act on it?

Break Cybersecurity into Areas of Focus

A challenge in data security management is the breadth of everything it touches. Cybersecurity is a complex being, layered on top of IT—which is a complex being on its own—layered on top of the business. All information systems, business processes, and people put the organization at risk and must be hardened, refined, and trained to lower the probability of risks being realized.

Many people find it useful to organize cybersecurity into smaller chunks that are more easily digested individually. For example: application access control mechanisms can be reviewed separately from disaster recovery controls. Doing so makes the whole of cybersecurity easier to organize, understand, measure, and manage. It also provides a systematic method of reviewing anything related to cybersecurity.

Assessing risk? Look at risks and IT controls within each category. Assessing a vendor’s security? Look at their controls within each category.

Note: we don’t mean to discount the overlap of many controls, such as ensuring application access controls remain in place during a disaster event.

Request Actionable Information

As a Board member you may have to provide reporting guidance to your cybersecurity team. If you ask them to scrutinize every metric using the question above, you should see the vanity metrics disappear.

The next step will be getting the team to report on things that have meaning. They should be providing you with the most pertinent information to make decisions on behalf of the organization, to steer cybersecurity strategy.

One great example is  IT risk assessment results. As a Board Member you should be setting a risk tolerance and getting results of recent risk measures, to ensure risk levels are below your tolerance, and therefore acceptable to the organization.

At Rivial, our primary goal is to take care of clients. To help make our clients’ lives easier, we created a Board Reporting Template that removes vanity metrics, breaks cybersecurity into areas of focus, and provides a format to deliver actionable information.