According to Directors & Boards author Tom Horton, “A primary responsibility of every board of directors is to secure the future of the organization. The very survival of the organization depends on the ability of the board and management not only to cope with future events but to anticipate the impact those events will have on both the company and the industry as a whole.”
It is incumbent on the board of directors (board) to demand information and insight on the issues that could affect the future of the organization. Cybersecurity is one such issue. The overwhelming number of cybercrime incidents has forced boards to become more educated about the topic and ask strategic and thoughtful questions directed toward management and internal audit.
It is imperative that the board not relegate the cybersecurity topic to the IT department. Directors need to take an active role in the organization’s cybersecurity or face the possibility of potential shareholder lawsuits, and even the possibility of being removed from the board.
The Institute of Internal Auditor’s (IIA’s) Audit Executive Center “Pulse of the Profession 2014”1 survey reveals that boards are thinking about cybersecurity. When asked, “How would you characterize the board’s perception of cybersecurity risks over the last one to two years?” more than 65% of respondents indicated that cybersecurity risks were at a high level or had increased...
On the other hand, when asked, “How involved was the board during the last fiscal year in regard to specific action or request on cybersecurity preparedness?” only 14% responded that they were actively involved in cyber- security preparedness ... However, in the same survey, 58% of respondents said they should be actively involved in cybersecurity matters...
It is clear from this survey that the board would like to be strategically involved in the cybersecurity initiatives, but now the question becomes, “What should the board do?” The objective of this report is to provide recommendations on questions every board should ask and action items to take.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program