How to Build a Cyber-Savvy Board

Jenga game Associations Now May/June 2017 Issue By: Tim Ebner

Board members may be experts in finance, legal, or business management and operations, but far fewer say they feel confident to lead on cybersecurity policies and issues.

A cyber attack can cripple an organization’s infrastructure, and recovering can drain its resources. Being able to anticipate cyber risks requires a smart strategy with boardroom buy-in.

While board members typically demonstrate acumen in finance, legal, or business management and operations, few say they feel confident in what they know about cybersecurity.

In a November 2016 survey by the National Association of Corporate Directors (NACD), 97 percent of board members said cyber-risk oversight was challenging. And only 14 percent said their board had a high level of knowledge on cyber risks.

The fact is most board members don’t have a lot of personal experience in IT or cybersecurity, says Robyn Bew, director of strategic content development for NACD.

“Cyber issues are complex, technical, and fast moving, and new threats are coming onto the scene all the time,” she says. “Boards should work to educate themselves on cyber, regardless of size or sector.”

Every director should make it a priority to improve their understanding of cybersecurity as it relates to the organization.—Robyn Bew, National Association of Corporate Directors

NACD’s Handbook on Cyber-Risk Oversight recommends five key areas for boards to focus on, including making cybersecurity an organizational priority, enlisting cybersecurity experts who can discuss cyber issues, and understanding the legal implications of cyber risks.

“We don’t believe that every director has to be a cyber expert,” Bew says. “But every director should make it a priority to improve their understanding of cybersecurity as it relates to the organization.”

Education is a critical first step. This year NACD launched an online certificate program in cybersecurity, partnering with Carnegie Mellon University and Ridge Global, a cybersecurity firm led by former Homeland Security Secretary Tom Ridge.

“Even for resource-strapped organizations, there are options,” Bew says. “Bring outside experts into the boardroom. A lot of our members ask for cybersecurity briefings from local law enforcement or the FBI field office.”

It’s important for boards to challenge and test their assumptions constantly, Bew says, and to have leading cyber experts available to provide intelligence and risk assessments.

And don’t be afraid to test a cybersecurity response plan. Associations can learn from simulated exercises that involve all levels of leadership, including the board. Usually, these practice drills help get directors talking about cyber-risk oversight.

“These exercises are effective because they show how cyber has a thread in all things,” Bew says. Cybersecurity “should be woven into boardroom conversations, especially when it comes to things like strategic planning or new initiatives.”

[This article was originally published in the Associations Now print edition, titled "Cyber-Savvy Boards."]

Tim Ebner

Tim Ebner is communications director and press secretary at the American Forest & Paper Association in Washington, DC. He is a member of ASAE’s Communication Professionals Advisory Council and a former Associations Now senior editor.