Cybersecurity And The Evolving Role Of Boards


Protecting an organisation from a security breach is now a critical part of a board’s responsibility. The UK Government’s ongoing national cyber security strategy has highlighted the importance of improving cyber awareness and risk management. The strategy identifies security as a board level responsibility, and has gone as far as to create guidelines and help sheets for executive teams to protect sensitive data.

And yet, board members often overlook one critical link in the cybersecurity chain: their own roles as custodians of company information. Some of the most sensitive company data – M&A information, negotiation details, senior executive compensation plans, strategic plans, financial and customer data – sits within board reports that are routinely distributed as PDFs over unsecured email, or even couriered to them in paper packs ahead of meetings.

Often, the problem is that the board’s position ‘above’ the organisation means it is excluded from security processes that apply to every other part of the business. We find that while the CIO reviews the company’s cybersecurity requirements, he or she may believe that board security is a matter for the company secretary or general counsel. There is often an assumption that it sits outside the CIO’s domain.

Of course, all security has to be usable – and this can mean a compromise between convenience and effectiveness. Few people want to impose unwanted systems on the most senior people within a company. And so they are allowed to carry confidential information on paper as they travel between meetings, and store this information in whatever way they choose. The possibility of a breach is obvious. But there is another risk: if security is lax at the top of the business, what message does that send at a time when CIOs are trying to enforce that security is everyone’s business?

Board level information should be subject to the same rigorous security checks as all other data. Consider:

  • Do you know where your confidential data is at any given point? Is it secured, or is it sitting, forgotten, in a pile of paper on the back seat of a taxi? Digital data should be encrypted while both in transit (using 128-bit SSL/TLS encryption) and at rest (using 256-bit encryption to deter hacking attempts), and accessed only with a digital key. Paper is best avoided.
  • Who controls the keys? What is the protocol if a password is stolen? A secure system will be able to deny access rights centrally if this happens.
  • Who has access to your board reports? Is it just the board members, or could there be other people you don’t know who are handling your data? This is particularly relevant if you issue paper packs to directors who sit on multiple boards. Digital versions should be able to assign varying access rights to different people, depending on what level of information they need to see.
  • If you send information digitally (over secured email on PDF, for example), what happens to it when it reaches the recipient? If the answer is it’s printed out and carried to the meeting (this happens in many cases, sadly), then you’re back to the first point.

Security has a permanent place on the agenda of board and senior management meetings. It is one of the most pressing issues facing companies today, with the potential to seriously damage reputation in the event of a breach. Closing the final loophole – that of the board’s own security – should be at the top of the agenda in 2015.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Charlie Horrell is Managing Director, Europe, Middle East and Africa, at Diligent. Charlie’s career has focused on driving businesses within the digital, technology and media space. He joined Diligent as managing director in January 2012 after 5 years as CEO of advertising services company, Packet Vision. Prior to that he had been COO of a €1 billion division of Thomson SA, the French media company, CEO of IDP SA in Paris, quoted on the French market, and spent 7 years with News Corporation; initially at BSkyB and then at Star TV in Hong Kong. Charlie began his career as an accountant with Arthur Andersen and has a degree in Economics.