Cybersecurity is now a topic of discussion in every boardroom. A diligent director takes this risk, and their fiduciary duty around it, seriously. But the risk is complex and technical, and most boards don’t have a cybersecurity expert on the list of directors.
So instead, many boards have fallen into the trap of over-reliance on audits and compliance as a determination for whether the company has done its due diligence in preventing a cyber breach. Here’s why this is a problem:
1. Compliance is not security.
Compliance was meant to be a floor, but it has become a ceiling. Industry standard certifications and compliance frameworks (for example, HIPPA, PCI, ISO) are the bare minimum and intended to be generic. A framework can’t account for the nuances of your company operations and environment. These audits only look at a snapshot in time, not the ongoing state of your security. Your company could pass an audit, but a day later a vulnerability could be left unaddressed and your security compromised. I’ll say it again: Compliance is not security. The most cyber-resilient organizations are those that treat compliance as a baseline.
2. Security is a culture, not just a function.
I too often hear “cybersecurity is the CISO’s job.” Sure, the CISO may have functional oversight but the information security team can’t practically micromanage every person’s behavior in the company. Every person has to do their part. Your part might be just following protocol (for example, use unique passwords, don’t forward work documents to your personal device, don’t click links in emails). These small but important habits need to be built into your culture. Build a culture where everyone views security as their responsibility, and you’ll mitigate 90% of your risk.