Breaches Reach the Board Room

The discussion of cyber security is finding its way into the board room.  Everyone has read about a breach like the ones at Target, or Neiman Marcus, or Sony.  They also probably now have the word “Heartbleed” in their lexicon whereas six months ago most people would have thought this was a medical condition.  Directors surely must be thinking about whether this could happen to them and what they should do.  Just framing the discussion is often difficult because people simply have little or no background.  They need to know what is going on and what the risks to the company are.

The first interested director is probably the chair of the audit committee.  She or he should be active in asking key questions about security, processes, and what operationally is being done.  This is no different than asking if procedures for check signing are set up and being managed, or about how the shrinkage in retail or warehouse operations is being managed and monitored.  Cyber security has a complete parallel to these issues.

war-room-jpgOf course I can’t speak for every board of directors, but a couple of companies on whose boards I serve have a line item on the agenda – usually during the audit committee report – to discuss cyber.  Regrettably, the discussion usually lasts less than five minutes even though the headlines in the newspaper are full of corporate issues around being breached.  I can’t tell if it is a lack of appreciation of how serious the problem is, or if there is even a real problem.  I can’t tell if it is one of those “if I don’t ask, then I don’t have to know” problems.   Solving any problem first requires acknowledgement of the problem.  And the cyber attack problem is getting top billing in the news, just not in the board room.

Ask yourself, does the CEO get a report on cyber security, just like s/he gets a P&L or sales report?  Cyber is dynamic, and it’s a constantly changing front of action, just like sales.  Unfortunately, this is now part of every business and it takes away from business.  But I bet it’ll take much less away than a full breach.