Reform of digital governance and cybersecurity needs to blow into every boardroom.
getty
SolarWinds data breach is the stuff of plaintiff lawyers ’dreams and corporate director’s nightmare.
SolarWinds has joined a fast-growing club where its members share the catastrophic breaches of cybersecurity along with one other thing. This is common to all members of this club – 100% of their boards want to take a more effective approach to overcoming cybersecurity risk 100% of the time after the breakup.
SolarWinds had just taken steps to control the risk of boardroom cybersecurity. The actions they perform do not break any new ground, except for them, although they are far from widely accepted practices. But they should and could be widely adopted without too much effort or boardroom expense. The ROI of improving digital risk management and cybersecurity deficiencies in the boardroom is very optimistic.
The CEO of SolarWinds just said they are creating a cybersecurity committee on their board and putting additional leaders who are literate at digital and cyber risk. At the time of their bankruptcy, SolarWinds ’corporate board appointed their Nomination and Governance Committee to oversee cybersecurity risk. Special practice. The effectiveness and actions of the three former directors of this committee will be closely scrutinized during the forthcoming legislation.
Putting digitally literate and cyber corporate leaders is not an innovation in the boardroom. I have been claiming this since 2016.
And there’s more to solving the problem of corporate control over physical risk and cybersecurity than just that, though it starts with corporate leaders being able to effectively monitor those issues. There are three components to an effective digital and cybersecurity risk monitoring approach that any corporate board can implement very quickly:
- First, add cyber-literate corporate leaders to the board (boards should also add broader digital skills and strive for a critical mass of three digitally-saving leaders).
- Organize a board look at digital risk and cybersecurity in the Technology and Cybersecurity Committee – staffed in fact by our three digital directors and possibly one multi-committee director from the Audit Committee. Tech management and cybersecurity belong together as new technology initiatives, ongoing projects, and the IT operations that create business value should be managed along with the cyber threats and threats to this business value. Boards of public companies have been asked to do this since 2018.
- Finally, corporate boards need to recognize that risk is changing and their scope must also oversee risk management. These changes are very much about systemic risk, and in particular the systemic risk that exists through their digital business systems. Cyber threat cannot be understood and mitigated without an understanding of systemic risk. Systemic risk is a completely new aspect of risk management and management that most organizations have little understanding of.
Taking these three steps is a starting point to understand and mitigate the rapidly changing complexities surrounding digital business systems. Government reform and mandate are also approaching this issue. To get companies and boards to sort out the things they weren’t up to now or unwilling to deal with.
Reuters recently reported that the product industry could soon be held to a higher level of accountability and disclosure of the cybersecurity risks and breaches of their product. President Biden may sign a Governing Order as early as next week addressing this issue.
The draft order could also strengthen the public / private partnership on cybersecurity risk by creating an incident response board, or clearing a house for breaches and other risk issues. This has been a topic and a topic of debate for a long time, and perhaps comes about as the new administration puts a late emphasis on the issue of cybersecurity risk.
Digital success and cybersecurity start in the boardroom. So digital failure and cybersecurity are unfortunate – but that doesn’t have to be the case. Solutions to this challenge are within reach for all companies and boardrooms.