Can a Cybersecurity App Help Engage the Board?Looking for Ways to Get Senior Managers, Board Members More Involved
For years, we have been talking about why corporate boards of directors should pay much greater attention to the issue of information security. But not enough progress has been made.
Too often, addressing the topic of security leads to a technology-intensive conversation of little interest to the board. Plus, it's difficult to measure the return on investment, because the most significant return is breach avoidance.
"Too often, addressing the topic of security leads to a technology-intensive conversation of little interest to the board."
Partha Iyengar, country manager-research, at Gartner India, noted in a recent interview with Information Security Media Group: "Boards are getting conscious about organizational risk and appreciating its importance. But the gulf between the CISOs and the board is huge in India because Indian security and risk practitioners are not mapping board-level risks, as they are not spending enough time to understand them." (See: 6 Principles of a Resilient Digital World)
Unfortunately, many of the initiatives and mechanisms developed by internal security teams to assess security do not get much attention from the board. But the consultancy KPMG in India is offering a free mobile app aimed at helping senior management and board members get more involved.
The Cyber KARE toolkit poses a series of simple business-oriented questions to executives and board members to help them conduct an assessment of cybersecurity, KPMG says. The consulting firm claims the app helps management to monitor cyber risk at a strategic level and come up with a risk management plan.
The idea is to enable senior management and board members to benchmark their organization's progress on its cybersecurity journey and share recommendations to reduce the cybersecurity exposure and define resilience against potential threats, says Atul Gupta, Partner - IT Advisory at KPMG in India (see: CISOs: Prepare for Emerging Tech Risks).
I reached out to some CISOs for their reaction to the app. They generally welcome the offering and expect that the tool may eventually help them earn some support from the board about the urgency of addressing cybersecurity issues.
"Having some tools from the external sources would help, because such products are likely to get more attention from the board than those available internally," says Sachin Jain, CIO and CISO at Evalueserve, a global professional services provider.
Jain hopes that such tools will enable the board to "ask the right questions" about security, which has been one of the challenges he faces as a CISO.
Satyanandan Atyam, associate vice president-risk management, and data privacy officer at Bharti AXA General Insurance, notes: "While it is too early to say if the board will use such tools, I go with the idea that such an initiative will give the management a broad-level understanding of security within the organization. It will hopefully provide a reassurance to the board, as they currently do not have an easy mechanism for it."
Although it's far too soon to know for certain whether tools like Cyber KARE can help boost cybersecurity awareness in the board room, it's clear there's plenty of work to do.
A recent global survey by ISACA and the RSA Conference shows that 82 percent of cybersecurity and information security professionals report that their board of directors is concerned or very concerned about cybersecurity. But the same survey shows that only 14 percent of CISOs report to the CEO. "The majority of CISOs still report to CIOs, which shows cybersecurity is viewed as a technical rather than business issue," says Jennifer Lawinski, editor-in-chief of the RSA Conference.
So what are your thoughts on how to get the board more involved in cybersecurity matters? Can a tool, such as Cyber KARE, play a role? What else is needed? Share your views in the space below.