This feedback from EY’s contact with board members resonated with the themes I’ve been picking up in discussions with CISOs and DPOs. I’ll summarise it as “Get the basic cyber hygiene in place, security and privacy by design, and trust but verify.” or “Start with understanding what do you want to protect.”
Over at Glock Enterprises we’ve been building a portfolio of services and supporting tools that help organisations with their security and privacy programs. The most successful engagements we engage with are those organisations where the board sets the tone, just as EY identifies…:
[…] Key takeaways
Our conversations revealed several key actions boards can take as they oversee security risk. These include:
- Set the tone that cybersecurity is a critical business issue; the time and effort the board spends on cybersecurity signifies if it is a priority for the company.
- Confirm that the company’s new technology and business arrangements are designed with security in mind from the beginning by embracing a “Trust by Design” philosophy.
- Understand the company’s value at risk in dollar terms.
- Understand the company’s processes to identify, assess and manage third-party and supply chain risks.
- Make sure the cybersecurity risk management program (CRMP) is independently and appropriately assessed by a third party and the third party should report back to the board.
- Have comprehensive knowledge of the company’s ability to respond and recover, which should include simulations and arranging protocols with third-party specialists before a crisis hits.
- Have a thorough understanding of the cybersecurity incident and breach escalation process and protocols within the organization, including when the board should be notified.
- Stay attuned to evolving board and committee cybersecurity oversight practices and disclosures, including asking management for a review of the company’s cybersecurity disclosures over the last two to three years with peer benchmarking.