Hit enter to search or ESC to close
Institue of Directors - design shape Institue of Directors - design shape

Cyber Security Roles and Responsibilities for the Board of Directors

Blog

Expert insights from Roisin Cahill, Head of Managed Service, IT Force, a company delivering Managed IT Services and virtual AGM services.

The coronavirus pandemic has presented a vast array of challenges for most businesses globally. Most companies have been forced to innovate by initiating remote working and shifting to digital spaces for enhanced business continuity. Unfortunately, the pandemic has also created an opportunity for online scammers and cyber criminals, as employees continue to spend more time online. Notably, cyber crime can incur huge monetary losses on the part of a company, not forgetting the reputational impairment induced on its business. As a result, businesses acknowledge that cyber security is not a responsibility restricted to IT departments only. Today, a company’s board of directors has a role in promoting overall organisational cyber health. I’d like to outline some of the key cyber security roles and responsibilities attributable to the board of directors.

1. Cyber Security Risk Oversight

Traditionally and typically, the oversight of an organisation’s cyber security is exclusively left to the IT department. Unfortunately, delegating cyber security to the IT or Risk Control departments entirely is akin to being oblivious to the wide-ranging impact of cyber crime on the entire organisation. Instead, companies should adopt a proactive management mindset by engaging cyber security as a central organisational topic. This means including the company directors in discussions revolving around digital infrastructure oversight and data security. Generally, the management of the cyber security risk must be incorporated as one of the primary tasks of the company’s board of directors.

2. Resource Allocation for Cyber Security

As part of its governance mandate, the board of directors is responsible for the prudent allocation of the organisation’s resources. Following the outbreak of the Covid-19 pandemic, companies have had to re-think their resource allocation strategies. As a critical agenda for most company boards, allocating sufficient cyber security resources must remain a top priority. It goes without saying that the lack of advanced software and hardware and the absence of top expertise (human resources) will never be sufficient to manage cyber security. Procuring the right digital tools for employees working remotely and in-office is essential.

3. Promote Tech Experts to the Board

Today, many companies prefer to outsource their IT to tech firms, especially when there are no proficient experts in-house. While this goes a long way in promoting digital infrastructure awareness within the company, companies would benefit from having someone with a good understanding of this area in a top executive position. Promoting tech professionals to the board will help to steer the organisation towards a healthy cyber security environment. Companies must rethink cyber security leadership during and after the pandemic. Having specialists on the board is one of the ways to achieve this objective.

4. Prioritise Material Cyber Risks for Your Business

Cyber risks are not generated equally, which is why companies should handle the risks unique to their businesses. Organisations vary in multiple ways, including with respect to their internal and external processes, technical operations, organisational structure, and systems. This explains why every company is faced with a unique set of risks, including cyber risks. Therefore, it is a critically important for the board of directors to identify the risks facing their company and formulate strategies on how to mitigate these particular risks. A trusted IT partner can help in this area. Cyber security decisions are solely dependent on the form of cyber risks faced. Prioritising these risks will help the board to allocate the right resources and initiate proactive executive action to minimise or curb their organisation-wide impact.

5. Adopt and Implement a Risk Mitigation Plan

The board should be aware that information and data critical to the organisation's lifelong prosperity run within its information systems. Most employees are accessing these systems on a regular basis, and this means that you are more prone to cyber risks now than before. Therefore, it is vital for the directors to formulate a risk mitigation plan to safeguard the organisation from the risks of cyber crime. The plan must be current and one that provides for contingencies for multiple incidents and unexpected scenarios.

6. Responsibility on the Part of the Board Members

Since cyber security is a concern for the entire organisation, the directors involved in the cyber security discussions must be accountable for possible failures or breaches. If the board is not committed to cyber security individually and collectively, how possible will it be to establish the effectiveness of the proposed cyber security plan and strategies? The modern organisational structure requires that board members take responsibility for the breaches and failures of the company’s cyber security systems. This is especially relevant where employees and customers are exposed to risk of a cyber crime.