One of the greatest challenges facing boards today is the one directors feel least prepared for: cybersecurity. Yahoo’s disclosure in December of what could be the largest data breach in history was hardly an isolated incident. Indeed, the Guardian dubbed 2016 the “year of the hack,” and cyberthreats are increasingly common across all sectors.
In previous work we found that cybersecurity ranked as a top political issue for corporate directors, trailing only the economy and the regulatory environment. Directors acknowledge cybersecurity as an urgent global issue, but are failing to make the connection between the pervasiveness of cyberthreats and their companies’ vulnerabilities. When we asked them to describe their levels of concern and readiness for various risks to their companies, cybersecurity took a backseat to worries about regulatory and reputational risks, which directors were more adequately prepared to deal with. Just 38% of directors reported having a high level of concern about cybersecurity risks, and an even smaller proportion said they were prepared for these risks. In the words of one director, “Cybersecurity is a big issue, but there is a broad spectrum of risk in this business, so it is a key factor among several.”
When directors evaluated the factors that could limit their company’s ability to achieve its strategic objectives, cybersecurity issues were overshadowed by more salient concerns like attracting and retaining top talent, the regulatory environment, and global competitive threats.
These findings confirm that directors simply aren’t internalizing the extensive, long-term damage an attack could inflict on their organizations. Why the disconnect between the global- and company-level views? Using a comprehensive survey, of more than 5,000 directors in over 60 countries, conducted in partnership with WomenCorporateDirectors Foundation, Spencer Stuart, and independent researcher Deborah Bell, we found two main reasons: Boards lack the processes and the expertise they need to surface, evaluate, and address cyberthreats.
Inadequate processes. Most boards have robust processes for addressing their most pressing responsibilities, such as financial planning and compliance. But when we asked specifically about processes related to cybersecurity issues, such as regular discussions about cyber risks (with or without cybersecurity specialists) and management reviews of contingency plans for a data breach, directors gave their boards low marks. Only 24% rated those processes as “above average” or “excellent.” In fact, among the 23 processes we asked about, directors ranked the ones related to cybersecurity dead last.
The strength of these processes also varied by industry: Boards in the IT and telecom sectors led the field, with 42% reporting strong measures; in the materials and industrials sectors fewer than one in five directors could say the same. In the health care industry, a common target for data breaches, and one that has proven to be particularly vulnerable, 79% of respondents said their organizations lack robust cybersecurity processes.
Lack of expertise. When we asked directors about the board duties they struggle with, risk and security issues was the challenge they mentioned most. The main problem, they said, was that they simply don’t have the expertise. One director pointed to “a lack of understanding of the issue and an unwillingness to make room for those with new thinking and understanding of the issue.” Another said, “There is too much responsibility placed on boards to oversee areas they don’t have much experience in, i.e., cybersecurity.”
A Real Strategic Threat
Boards neglect cybersecurity issues at their peril. An IBM study estimated that the average cost of a data breach is around $4 million. Cisco, in a recent study, noted that targeted companies suffer substantial losses of revenue, customers, and business opportunities. Clearly, these attacks can’t be viewed an abstract external threat. Boards have to embrace the facts and adjust their thinking: Cybersecurity threats are universal, and board members have to take ownership of these risks. The topic should be discussed regularly in all board rooms, regardless of industry, region, or company size.
Boards can take concrete steps to prioritize cybersecurity issues. One director suggested that directors start by “asking questions and determining whether appropriate processes are in place.” Boards can hold executive management accountable for evaluating current cybersecurity risks and maintaining response plans by making cybersecurity debriefings a regular agenda item at board meetings. They can advocate for investments in data security and infrastructure within their organizations, and encourage executive management to bring in external experts if needed (boards can bring in their own experts, too, either as consultants or as full board members). These types of investments should be viewed as vital to the organization’s risk management functions and long-term strategy, and need to be reviewed on a continual basis. As one director told us, “In light of the threats, this issue should be examined in a way that is broader than a risk considered by the audit committee.”
The scope of cybersecurity threats will only continue to grow. By being more proactive about cybersecurity issues, directors can play an essential role in safeguarding their organization’s stability and supporting future growth.
J. Yo-Jud Cheng is a doctoral candidate in the Strategy unit at Harvard Business School. Her research interests focus on succession planning processes and other issues related to strategic human resource management and personnel economics.
Boris Groysberg is a professor of business administration at Harvard Business School and the coauthor, with Michael Slind, of Talk, Inc. (Harvard Business Review Press, 2012). His work examines how a firm can be systematic in achieving a sustainable competitive advantage by leveraging its talent at all levels of the organization. Follow him on Twitter @bgroysberg.
IMAGE CREDITS: http://www.reliabills.com