“As 'software eats the world' and digitization permeates every type of organization, so follows the threat vectors that hackers exploit. I believe the need for leaders to think through their cyber security posture and investment has to start at the highest levels of accountability,” Dooley adds.
“Board oversight is intended to keep executives focused on those things that are strategically important to an organization. As such, board involvement means that executives will see cybersecurity as one of the long-term strategic objectives they need to balance, and place value on it accordingly,” says Vikram Phatak, CEO of NSS Labs.
Few would doubt that now, but it has been true for decades, so why has the attention span by top execs and members of the board lengthened now? Many of those interviewed believe that in years past, aside from regulatory compliance and privacy risks, information security was viewed as a technology challenge that would be solved – rather than an ongoing adversarial battle with cybercriminals. “I suspect [many boards] thought it was a tech problem that would quickly go away instead of realizing it was a business risk that would go on for a very long time,” says Martin Fisher, IT security manager at Northside Hospital.
Will the board attention span be longer this time? Many think so. “I think the issues of cyber security are sitting at the board level and are there to stay. With the continued breaches we see that the era of ‘it can't/won't happen to us’ is over and board members understand it's a risk they have to monitor, just like all of the other large risks they handle,” says Fisher.