A third of Fortune 100 boards currently include a director who is a CIO. According to unpublished Korn Ferry data, cited by Harvard Business Review, the number of CIOs serving on Fortune 100 boards has increased 74% in the past two years.
“CIOs are the fastest-growing addition to the boardroom: They can help address a host of issues of crucial importance to boards, including using technologies to create operational efficiencies and competitive advantage; identifying opportunities related to cloud computing, digitization, and data; addressing threats and risks associated with information security; and using their experience and judgment to oversee, question, and provide input on technology budgets,” the writers noted.
CEOs and boards still generally perceive technology as a cost. But “more boards are waking up to the power of leveraging technology as a competitive weapon,” according to Tim Theriault, former CIO of Walgreens Boots Alliance and current board member of Alliance Data, The Vitamin Shoppe, and Wellmark Blue Cross and Blue Shield, as cited by HBR.
Nearly 90 percent of directors at public companies say their board discusses cyber-risk regularly, yet only 14 percent of boards have in-depth knowledge of cyber-risks, according to a survey by the National Association of Corporate Directors (NACD), cited by Internal Auditor. Almost 60 percent of respondents reported that they find it challenging to oversee cyber risk. For 51 percent of publicly listed companies, cyber-risk oversight falls on the audit committee, but 96% of directors surveyed say the full board takes on the big picture risks that could impact their company's strategic direction. The most common board cyber-risk oversight practices are reviewing the company's approach to protecting its most critical assets (77 percent) and reviewing the technical infrastructure used to protect those assets (74 percent).
A previous survey by advisory company Gartner, cited by Business Insights, showed that some 71% of managers say IT risk management data influences decisions at the board level. The study authors found an increasing focus on IT risk as part of corporate governance. Almost 40% of respondents stated explicitly that the most senior person responsible for information security reports outside of the IT organization. The security programs are sponsored at an increasingly senior level. Some 63% of respondents indicated they receive sponsorship and support for their information security programs from leadership outside of the IT organization, compared to 54% in 2014.
Here is a list of questions boards can ask management once a cyber breach is found:
- How did we learn about the breach? Were we notified by an outside agency, or was the breach found internally?
- What do we believe was stolen?
- What has been affected by the breach?
- Have any of our operations been compromised?
- Is our crisis response plan in action, and is it working as planned?
- Is the breach considered “material information” requiring prompt disclosure and, if so, is our legal team prepared for such notifications? Who else should be notified about this breach?
- What steps is the response team taking to ensure the breach is under control and the hacker no longer has access to our internal network?
- Do we believe the hacker was an internal or external actor?
- What weaknesses in our system allowed it to occur (and why)?
- What steps can we take to make sure this type of breach does not happen again, and what efforts can we make to mitigate any losses caused by the breach?