Gartner predicts that “By 2025, around 40% of boards of directors will have a dedicated cybersecurity committee, up from 10% today.” One of the various initiatives Gartner predicts to observe organizations take, in response to the risks emerged by the forced shift to work from home during the COVID-19 Pandemic.
The mass adoption of remote work has highlighted the requirement for enterprises to embrace a holistic security strategy, which supports both flexible work and a hybrid IT environment.
According to the 2020 Remote Work-From-Home Cybersecurity Report, 33% of companies in the US are planning to move some positions to permanent remote work, and 55% of businesses plan to extend their budget for a secure work environment in the near-term.
To make sure that security risk receives the proper attention it deserves, companies should appoint a dedicated committee, which allows for the analysis of cybersecurity risks. This shift in governance and oversight will influence the relationship between the board of directors and the CISO.
Gaps in Board Members Understanding of Cybersecurity Threats and Risks
Generally, the c-suite executives and board members have so little expertise in cybersecurity, the CISO needs to better communicate about the threats out there and the security initiative it deserves to obtain the budget to deal with them.
So, executives and C-suite don’t want to know the origin of a cyber threat in detail with the technical jargon. More than 90% of C-level executives stated they can’t understand a security report and aren’t prepared to cope with a major attack – according to NASDAQ commissioned survey.
As a result, there has been an unexplained gap between the way they assess security threats, costs as well as areas of responsibility. It becomes hard for security executives to communicate the senses of urgency to their board.
Only when board members regularly review the organizational cyber security framework, can stay ahead of the risks relevant to their organization. Hence, security matters must be discussed at the board level.
Until the boards have a dedicated cybersecurity committee, CISOs and security executives will make up the difference. These differences have considerably expanded the threat landscape and resulting security breaches which carry a huge price tag.
Why Is It the Right Choice to Have A Cybersecurity Committee?
Perhaps most important in properly meeting the cybersecurity challenge, ensuring preparedness, and ready to respond to any breaches, enterprises are increasingly setting up a cybersecurity committee and embark on enterprise-wide security programs.
By creating the emerging committee of the CISO and the security team, organizations can foster a complete approach to cybersecurity – one which understands that security communication policy and process are as crucial as technology. It becomes an essential tool in the hunt for a successful corporate security strategy, taking control of complex infrastructure, reducing duplication in security investment, and ultimately, reducing risks.
This type of governance body is essential for decentralized and multinational enterprises where acquiring support for company-wide security proposals are difficult.
The typical member of a security steering committee includes application owners, business managers, IT managers, regional managers, the IT director, the corporate risk manager, the chief security officer, and the chief internal auditor.
Another advantage of having a dedicated committee is that it can support security teams to manage the flood of data they receive about security risks, threats, and technologies. By organizing into teams of experts, it empowers the team to act better on the details they are receiving.
Roles and Responsibilities of Cybersecurity Committee
Many responsibilities are weighted on the shoulders of the committee. The stronger the cybersecurity committee, the more effective you’ll be able to tackle the risks.
- The major role of this committee would be to coordinate company-wide security initiatives at the organizational level, enabling them to optimize spending, handle infrastructure and reduce security risk.
- They will also be responsible for assessing and accepting the corporate policy on general behavioral policy and security incident response. This function ensures business requirements are manifested in the security policy.
- They will also assess, accept, and sponsor security investment, including remote access infrastructure.
- They will provide a forum for arbitration of any disagreements or disputes about common security policy and investment issues.
- They will also initiate ad-hoc projects to analyze the process, cons, risks as well as cost of certain security initiatives and advise the committee members with appropriate recommendations.
- The committee will oversee the development of vulnerability management for various worst-case scenarios. This includes:
- What do you do if a data breach occurs?
- What does incident controls look like both externally and internally?
The most important benchmark for an enterprise to feel protected is not the adoption of a specific technology platform or the size of budgets allocated to cybersecurity management, but the better governance and oversight.
A dedicated cybersecurity committee is key to make a CIO feel confident about the organization’s security posture.
Gartner’s prediction proves that businesses today are realizing Cybersecurity should take its place on the board’s crucial responsibilities.
Is your security committee not yet on board? Reach out to us for further guidance.