Wait for it:
In a recent study by Harvard Business School, corporate boards ranking their own performance across 23 process areas ranked cybersecurity DEAD LAST. ((The study should be taken seriously because Harvard is a pretty good school, kind of “the Stanford of the East.”)
Incredibly, in previous work the same researchers found cybersecurity ranked as a top political issue for corporate directors, trailing only the economy and regulations. Still, just 38% of directors had a “high level of concern” about security risks, and an even smaller proportion said they were prepared for these risks. So, in other words: directors “get” that security is an urgent issue, but are failing to make the connection between the ubiquity of digital attacks and their own companies’ actual vulnerability. The authors said, “These findings confirm that directors simply aren’t internalizing” the extensive, long-term damage the inevitable digital attack(s) will inflict on their organizations.
The mind boggles. One wonders what fraction of these board members have vaccinated their kids against smallpox.
The main problem in the study, authored by J. Yo-Jud Cheng, a doctoral candidate in the Strategy unit at HBS & Boris Groysberg, a professor of business administration at same, seems to be “a lack of understanding of the issue and an unwillingness to make room (on the Board for those who have it).”
This is where security instrumentation technologies, like Verodin, can help. By continuously testing the overall effectiveness of the company’s security infrastructure, Verodin makes it painfully obvious what’s working and what’s not. Risk & cyber can finally start to be discussed (and measured) in grown-up quantitative terms with empirical data, just like any other area of the business. With practice, that means everyone gets smarter, and everyone starts asking better questions (and getting better answers).
Boards can and should hold management accountable for quantitatively evaluating risk with solutions like Verodin. Boards should require execs to maintain up-to-date response plans and make security briefings a regular agenda item at board meetings. Board members must be advocates for – not obstacles to – smarter data security investments — and embrace new expertise. I agree with the authors wholeheartedly when they say these investments need to be viewed as vital to the organization’s risk management and long-term strategy and need to be reviewed on a continual basis.
Just remember, in the immortal words captured in the minutes of the Board of the Hudsucker Corporation, Inc: