The Role of Data Security in Corporate Governance
Data security, while often seen as a set of technical problems, is very much a corporate governance responsibility as well. As such, it involves executive accountability, risk management, testing and training, and reporting controls. Because of this, the CEO and board of directors at the organization need to be actively engaged in protecting data security in their organization.
There are, in fact, many links between data security and corporate governance.
Data Security and the Board
Individual board directors may lack the technical expertise to properly grasp the complexities of data security. However, individually and collectively, and with support from technical experts, they must strive to bolster their enterprise’s security efforts. This doesn’t mean they need to be directly involved in these efforts, only that they are aware that the many areas they oversee entail some degree of cyber risk.
Since they are directly responsible for overseeing risk management, board directors must oversee cyber risk management, too. This means keeping a close eye on the strength of their internal controls, which can alert the board to any possible cyber threats.
Board directors are also responsible for ensuring that their managers are held accountable for regularly training other employees about how they can establish a culture of data security. In addition, boards need to make sure that cybersecurity teams are carrying out rigorous and regular testing. The implementation of the framework for data security rests with senior management, but board directors are the ones responsible for overseeing these efforts and holding management accountable.
Corporations still tweak how to structure their management to cover all gaps in cybersecurity management. Various titles can be appropriate, including CISO, CIO, COO, and CEO, so long as their job descriptions are clear and all managers have a clear and full understanding of their duties.
Data breaches can easily and quickly lead to legal liability for corporations. Therefore, board directors have an obligation to ensure that the corporation follows all state, federal, and local laws. This entails staying current with data privacy and breach notification laws, as well as knowing who the appropriate local, state, national, and global authorities are, in case a breach or breach attempt needs to be reported.
As part of good governance, board directors must also protect their shareholders, employees, and stakeholders against any legal issues that may follow from cyber risks.
Data Security as a Regular Item on a Corporation’s Agenda
In their efforts to maintain and improve data security in their organization, board directors need to collaborate with cybersecurity experts on a regular basis. This could be a company IT expert, chief information officer, or chief security officer.
Board directors should also dedicate some of their time to discussing cyber risk matters. Items on the agenda should include the corporation’s overall cybersecurity strategy, existing projects, data security challenges, and any budgetary needs that the cybersecurity team has to carry out its duties effectively.
Effective corporate governance also means having an awareness of how competitors are protecting and defending themselves against cyber attacks. This allows boards to learn from their competitors’ experience and improve their own security. A further link between data security and corporate governance involves boards becoming acquainted with third parties who perform independent testing and checks on data security health.
How Data Security is Discussed in the Boardroom
Technology is an ever-present asset in boardrooms. For this reason, directors need to ensure that the software they’re using is up-to-date and offers them the right protection. This includes many types of technologies, from mobile devices to board portals.
Board members should run their own risk assessment on the devices they use and make sure that their communication methods don’t expose sensitive board materials to malicious attacks. Board members should try to avoid email and instead use a secure communications tool. This will prevent board materials from being sent to an outside party by accident.
In addition, in trying to protect their corporation’s level of data security, the board of directors must look for the right suite of products, allowing them to use as little technology in the boardroom as possible.
Data Security as an Enterprise Management-Level Risk
Data security is an enterprise management-level risk just like other management areas, and so should be assessed with the same level of diligence and priority. Boards need to investigate all aspects of data security threats, including how to avoid them, how to mitigate them, how to insure against them, and how to make decisions regarding aspects of risk they can reasonably accept.
Furthermore, the board needs to weigh the level of data security risk against the amount and types of coverage on their cyber risk insurance policy. This will help to decide if the coverage limits are adequate. Cyber risk analysts will be able to assist the board in providing data about financial costs and reputational costs in the event of a data breach.
Due to the lack of knowledge that many board members have with respect to cybersecurity risk, it’s vital that boards pay special attention to their governance duties regarding this area of business. Doing so will put corporations in a strong position to prevent and mitigate data breaches and, in turn, maintain the smooth functioning and reputation of the company.
Cyberlocke is a comprehensive, full-service IT services provider that architects and implements efficient and secure solutions for enterprise customers and their data centers. We specialize in security, cloud, managed services, and infrastructure consulting. Contact Us today to learn more.
