Rewiring Boardroom Cybersecurity

Boards must act now to safeguard their organizations from cyberattacks. This playbook lays out tangible actions for boards to strengthen cyber-preparedness and protect organizations from current and emerging threats.

Written by:

Dr. Moudy Elbayadi

Author of Big Breaches: Cybersecurity Lessons for Everyone

Contributors:

Will Houston

Consultant, Egon Zehnder

Scott Texeira

Consultant, Egon Zehnder

Drew McFeetors

Consultant, Egon Zehnder

Juan Valverde

Consultant, Egon Zehnder

Rod Hackman

Board Member

In late 2013, Target’s systems were breached when a third-party contractor fell victim to a phishing attack.

The hackers were able to install malware on Target's point-of-sale (POS) systems, which allowed them to steal the credit and debit card information of approximately 40 million customers, as well as the personal information of 70 million customers including names, addresses, and phone numbers. Target had to pay out millions of dollars in settlements and fines, including a $18.5 million settlement with 47 states and the District of Columbia, as well as a $10 million class-action lawsuit settlement with affected customers. The breach also led to a drop in sales and stock prices, with Target reporting a $17 million loss in profits during the fourth quarter of 2013. Multiple board members, including Kenneth Salazar, Mary Dillon, Roxanne Austin, and CEO Gregg Steinhafel were called to testify before Congress.

Four years later in 2017, Equifax suffered one of the largest data breaches in history.

The breach involved hackers accessing the personal and financial information of approximately 143 million Equifax customers, including names, birth dates, Social Security numbers, and credit card information. The breach also exposed driver's license numbers for some customers. Equifax had to pay out millions of dollars in settlements and fines, including a $700 million settlement with the Federal Trade Commission (FTC) and other government agencies, and a $380.5 million settlement with affected consumers. The breach also led to a drop in Equifax's stock price, and the resignation of several high-ranking executives. Richard Smith, then CEO of Equifax, was summoned before Congress in October 2017. Testimony also included current and former board members, including Mark Feidler, John McKinley, and Edith Cooper.

It's well-understood today that the threat of cyberattacks poses a significant risk to companies in reputation, business continuity, and financial losses. Yet despite these and many other high-profile examples, companies and boards continue to make fundamental mistakes in their cybersecurity policies such as relying on regulatory compliance as a complete defense or relegating cybersecurity to a simple IT issue. Even as the level of awareness on this imminent threat has increased, it hasn’t necessarily translated into the required level of commitment at the board level, or ideally the appointment of a director with a spike on cybersecurity.

The time for boards to act is now.

With such high stakes on the line, it’s clear that cybersecurity is an indispensable competence in the boardroom. In this e-book, author Dr. Moudy Elbayadi, CTO of Shutterfly and author of Big Breaches: Cybersecurity Lessons for Everyone, offers a concise and practical playbook for boards of directors to improve their understanding of cybersecurity issues and challenges, create a systemic approach to improve their company’s defenses, and prepare for potential attacks with an integrated, holistic plan.

Our hope is that these resources take your organization’s cyber-preparedness to the next level. Are you ready to rewire your board?

William Houston, Scott Texeira, Drew McFeetors
Members of Egon Zehnder’s Cybersecurity Practice Group

Click into each chapter to learn more

Conclusion

In today's rapidly evolving digital landscape, cybersecurity has become a top priority for organizations across industries.

​ Cyber threats have become more sophisticated and frequent, with the potential to cause significant financial losses and damage to an organization's reputation. It is essential that boards of directors and technology leaders take an active role in managing cyber risks and build highly resilient organizations that can withstand cyberattacks and outages.

To achieve this goal, organizations need to adopt a comprehensive, systemic approach to cybersecurity. This approach involves addressing all aspects of the corporation, including employees, processes, and technology. The board must play an active role in cybersecurity governance and establish a culture of managing and governing cyber risks. Elevating the CISO's role, establishing Cybersecurity Risk Committees, promoting continuous education, and understanding technical debt are critical components of building a strong cybersecurity posture.

It is also essential to hire experts with diverse backgrounds, prioritize diversity in recruitment and selection, and create a comprehensive approach to cybersecurity. Boards of directors must engage in regular conversations with the CISO and senior technology executives to ensure effective cybersecurity, mitigate risks, and prepare for emerging threats.

Establishing an effective cybersecurity risk subcommittee can provide guidance and advice to the board of directors on cybersecurity matters. The subcommittee should cover various topics such as cybersecurity risk management, emerging threats, incident response planning, cybersecurity insurance, third-party risk management, employee training, regulation and compliance, budget allocation, data protection, technology debt, technology roadmap, and cybersecurity metrics and reporting.

Preparing for the worst-case scenario, a major data breach and outage, requires a robust incident response plan, regular tests to ensure preparedness, appointing a breach response team, identifying critical systems and data, containing the breach, investigating the breach, notifying affected parties, implementing remediation measures, communicating with stakeholders, and reviewing and improving security measures. Conducting simulated breaches (wargames) and employing white-hat hackers to test and strengthen an organization's cybersecurity defenses can also help prepare for a potential cyberattack.

Celebrating victories in cybersecurity is often overlooked due to the nature of the field. Success in cybersecurity means that nothing happened, which can make it challenging to identify and celebrate accomplishments.

However, recognizing and celebrating successes is vital for building morale, motivation, and fostering a positive culture.

Boards of directors can acknowledge and celebrate the security and technology team's efforts through formal recognition programs, awards, or simply appreciating their contributions. Celebrating both individual and organizational successes can build a positive corporate culture, foster unity, and encourage collaboration across departments.

Throughout this e-book, we have argued that cybersecurity is a critical aspect of any organization's success in today's digital age. Boards of directors and technology leaders must take an active role in managing cyber risks and building highly resilient organizations that can withstand cyberattacks and outages. By adopting a comprehensive, systemic approach to cybersecurity, promoting diversity, engaging in regular conversations with the CISO and senior technology executives, establishing an effective cybersecurity risk subcommittee, preparing for potential cyberattacks, and celebrating victories in cybersecurity, organizations can effectively manage and mitigate cyber risks, protect their reputation, and achieve long-term success. We hope we have been able to inspire you to take up this challenge and lead with greater impact. We need you!

Karena Man, former Egon Zehner consultant, contributed to this report.