Cybersecurity And Leadership: Part 2, The Board

Though unlike corporate leaders who are either directly accountable or responsible for cybersecurity, Board members are nevertheless part of the corporate cybersecurity ecosystem.

Because we're talking about human beings, it's understandable that some members are chosen because they are friends or relatives of the Board Chair, or check some box (e.g. the union member on the board). In terms of function, Board members provide perspective for the corporation's executives, and have a duty to hold executives accountable for performance. Part of executive performance involves cybersecurity.

Some Board members serve on multiple boards or are executives in other coroporations. They know people who know cybersecurity, even if those resources are not directly known by a particular corporation's executives. When we're talking about cybersecurity, then, it is their job description to ensure that executives are exercising due diligence to achieve corporate goals while maintaining the security and integrity of the corporation's technology and information infrastructure. And when executives are not able or willing to ensure that security or integrity, the Board must by its nature either take action to remove that executive or recommend removal. 

Ha, you say, That'll never happen. Well, as Sean Connery learned vis-a-vis the James Bond series, never say 'never again'. 

Past cybersecurity threats, the ones that are familiar and even have a name (such as "spear-fishing"), are based on "evil behavioral science": an external entity without systems access gets an internal entity with systems access to do something that allows the external actor to access a system for the purpose of theft, ransom, etc. It's fair to say that we've grown so sadly used to these sorts of attacks that no Board member is going to lose a seat because of a data breach.

But future cybersecurity threats are different in three ways.

First, investors looking for growth either through mergers, acquisitions, or early-stage development, expect that cybersecurity has been 'baked in' to operations. Board members of prospects who haven't emphasized this through their directions to executives are likely to be removed because they have shown themselves to be negligent or ineffective.

Second, attacks by agentic artificial intelligence (AI) are a growth business. This is way, way beyond external entities gaining access because some internal entity gave them their pa$$W0rd1. In these AI cases, it's not only the opportunity for theft or ransom, there is the potential that the AI agent could use the target platforms for ancillary compute. Or to direct the target's operations against allies of the target. Or to derail the target's operations. Where was the board?

Third & finally, now that there is greater knowledge and awareness of cybersecurity, banks and investors would be reluctant to make substantial investments in companies that can't manage cyber risks.

As we say, everyone has a role in cybersecurity. If a Board member chooses negligence or ignorance, their future on the board should be attenuated. Ask us how we can help you align cybersecurity risk management with Board duties.