Boards

Report: Boards Typically Updated On Cybersecurity Only After An Incident

A recent report from the Ponemon Institute suggests that boards of directors may need to improve communication with IT teams in order to protect against growing cyber-attacks on industrial controls systems (ICS) and operational technology (OT) environments. In fact, some may only be updated on cybersecurity matters when a security lapse occurs.

According to the report, many companies are not addressing the fact that different governance controls and procedures are required to safeguard different areas of the company. Boards should work to ensure that they understand the expanding scope of cyber risk, and that there is a comprehensive cybersecurity strategy in place with clearly defines the roles for the IT team, management executives and corporate directors.

The report said that 63 percent of the 603 survey respondents’ organizations had experienced an ICS or OT cybersecurity incident within the last two years, yet only 35 percent had implemented a unified security strategy program to secure both the IT (industrial) and OT (operational) environments of the company.

Additionally, the report found that C-suite executives and the board of directors are not regularly informed about the efficiency, effectiveness and security of their cybersecurity program. Only 35 percent of respondents said that someone responsible for ICS and OT cybersecurity reports information about IT and cybersecurity initiatives to the board. And of those, 41 percent said that they only received cybersecurity updates when a security incident occurs. If management executives, the board and the IT teams aren’t sharing the same information, it will be nearly impossible for companies to stay ahead of fast-evolving cyber threats. To combat this risk, boards should consider:

• Conduct a comprehensive review of the cybersecurity measures currently being implemented by all IT teams. The board and the management team must understand what is currently in place in order to determine if the company has adequate cybersecurity. If the board does not have a true cybersecurity expert among its ranks to oversee a review of all security systems, it may be necessary to bring in an outside consultant to determine where vulnerabilities are and how they can best be mitigated.

This comprehensive review should also be used as an opportunity to educate the board and management teams about the interaction between all those responsible for the industrial control systems (ICS) and operational technology (OT) systems of the company. The report authors make it clear that there are “fundamental differences between the problems and goals of a corporate IT environment—data safety and security—and industrial environments, where human health and safety, loss of physical production and facility shutdowns are real risks.” Effective cybersecurity measures will account for those differences and create clearly defined roles for industrial and operational team members, management executives and board members to follow if a cyber incident occurs. According to the report, only 48 percent of respondents said their organization understands cyber risks and have specific security processes and policies for OT and ICS environments.

A comprehensive review of cybersecurity measures will also allow the board and management to allocate an appropriate budget for security programs. A clear picture of what is currently being spent on security and what new risks the company faces will give the board enough information to determine what level of resources will be needed to protect the company’s industrial and operational systems.

• Create a cybersecurity or IT committee that reports to the board or appoint a cybersecurity expert to the board. Cybersecurity will continue to be an ongoing threat to all companies in all industries, so someone should be appointed to monitor these threats and keep the board and management team informed about strategies that can protect against security-related disruptions. A committee of IT executives that is responsible for cybersecurity measures and reports to the board may work for some companies, while having a board member with extensive cybersecurity experience who can suggest effective security procedures and evolving safety measures may also be effective.


Matthew Scott

Matthew Scott is the former managing editor of the Financial Times’ Agenda newsletter. Based in New York, he writes about corporate governance and investing topics.

Share
Published by
Matthew Scott

Recent Posts

Fixing The Childcare Challenge

Boosting productivity and talent retention are among the pluses that providing support for working parents…

21 hours ago

What Trump’s Win Means For Labor And Employment Law

The 2024 election results will have a dramatic impact on workplace regulation at the federal,…

1 day ago

Canadian CEO Outlook Dimmed In Q4 

Chief Executive’s survey of nearly 300 CEOs across Canada finds politics, domestic and abroad, driving…

2 days ago

How To Navigate Each Phase Of The CEO Journey

Successful CEOs are built, not born, through constant adaptation and reinvention.

3 days ago

How To Be A Change-Maker Today

‘Change is important [but it] doesn't always mean starting fresh,’ says the leader of a…

3 days ago

Forbes Books CEO Adam Witty On Why Leaders Should ‘Die Empty’

In this edition of our Corporate Competitor Podcast, Witty shares why it's so imperative that…

3 days ago