Whose responsibility within a company is cybersecurity? Should key decisions fall to IT, or should higher management be involved more heavily in day-to-day cybersecurity risk management? Given the large fines and compliance obligations facing companies today, it’s probably obvious to most that data privacy and security is not just a technology issue.
However, a study by the National Association of Corporate Directors found that although 90% of respondents reported that their boards discuss cybersecurity on a regular basis, only 14% of the respondents felt that their board has an in-depth understanding of the relevant risks. Merely discussing cybersecurity is not enough to protect your company.
In addition to a company’s IT department, management and its board should be involved in the company’s cybersecurity plan and process. While board members may not have specialized IT knowledge, the board can and should work to understand the issues and become better equipped to make decisions when it comes to data privacy and security. Below are three steps that a board can take to begin addressing deficiencies.
1 – Assess
First, boards should decide what risks the company faces….
