News & Events

Cybersecurity Roles and Responsibilities for the Board of Directors

06 Nov 2018

Cybersecurity is now a major responsibility for the Board of Directors. In the face of the high-profile Sony Pictures hack, several iCloud account breaches, the massive Facebook user data abuses (thanks to the company's half-baked third-party application policies) cybersecurity is front and centre in many internet-savvy users' minds. If you are leading a modern-day organisation with any trade focus, it is likely on your mind as well.

On the grounds that such company-wide disasters incur concrete monetary losses, as well as incalculable reputational damage, many business leaders have concluded that cybersecurity is no longer limited to just the scope of the IT department.

Here are the roles and responsibilities that the Board of Directors should be prepared to assume in the new age of digital (in)security:

1. Cybersecurity as an enterprise-encompassing risk

Risk management is among the main tasks of the Board of Directors, and breaches in cybersecurity have evolved to be one of modern day's greatest threats. Nevertheless, it is almost an instinct to delegate the issue exclusively to the IT department and lose sight of its organisation-wide significance.

Instead of falling into that trap, cybersecurity must become a central organisational topic. It’s a good idea to include information safety and digital infrastructure oversight on the Board agenda.

Of course, the IT department remains the major reporting structure but it’s not a good idea to leave them rudderless. The topic merits executive attention and keen oversight from higher company levels.

2. Setting appropriate resources to nurture cybersecurity

Recognising the need for top-level engagement with cybersecurity issues is only the first step. This strategic decision requires several practical moves in order to fulfil its promise.

The first and most important resource the Board of Directors needs to dedicate to cybersecurity is time. The agenda of every board meeting must have a reserved slot for digital security discussions and allow for ample decision-making time.

On the heels of time and attention comes the need for appropriate investment in human and technical resources. In the cyber-world, you will not get very far without attracting top expertise or relying on the latest in hardware and software.

3. Populate the Board of Directors with cybersecurity experts

Many companies nowadays naturally promote tech professionals to top executive and oversight positions. People with technological and security credentials habitually rise through the ranks and leverage their knowledge and expertise to steer organisations in the sea of digital troubles.

If your organisation's Board of Directors is not blessed with cybersecurity expertise, this is an oversight you should look to correct sooner rather than later. Having such vital experience in-house is a great benefit but, with a topic as important as cybersecurity, there are many reputable outsourcing firms who can handle this area proficiently for you if you don’t have in-house expertise. This knowledge and way of thinking will gradually diffuse through the rest of the Board, increasing your company's overall digital infrastructure awareness.

4. Identify and prioritise the cybersecurity risks your organisation faces

Every company has its own unique structure, mode of operations, internal procedures, and, by extension, set of risks. The same goes for cybersecurity: there is no silver bullet.

To guard against cybersecurity troubles adequately, the Board should be able to identify and prioritise all the organisational risks associated with it. Once the list is complete, there are important decisions to be made.

Many cybersecurity risks can be mitigated or avoided with appropriate executive action and resource allocation. Others can be externalised, for instance, through buying insurance. Yet others can simply be accepted, which leads us to the next important point.

5. The Board of Directors' individual and collective cybersecurity responsibility

Because cybersecurity is now an organisational risk that the whole Board of Directors must tackle, the board members directly engaged with the topic as well as the chief executives must be held accountable in case of breaches and failures.

Modern corporate culture dictates that people in top-level management and oversight roles assume personal responsibility for cybersecurity disasters. It is paramount for an organisation's reputation that the Board of Directors owns any mistakes and admits fault where it betrays customers' or employees' trust.

For additional resources on Board of Directors' cybersecurity responsibilities see cybersecurity expert Michael Yaeger's Forbes interview and the NIST Cybersecurity Framework.


Roisin Cahill is Director at IT Force - a company delivering award-winning Managed IT Services and Managed IT Security to clients throughout Dublin City. Roisin can be contacted via email at Roisin.cahill@itforce.ie or on LinkedIn.


The views expressed in the posts and comments of this blog do not necessarily reflect the views of the Institute of Directors in Ireland. They should be understood as the personal opinions of the author. The content of this blog is for information purposes only and the Institute of Directors in Ireland is not responsible for the accuracy of any of the information supplied.