Once the domain of the IT department, cybersecurity now encompasses the entire organization. From increasingly sophisticated cybercriminals and an exploding attack surface to heightened financial consequences of successful attacks and new cyber regulations, cyber risk is business risk—making cybersecurity a central element of board governance.

Emphasizing the importance of board involvement in cybersecurity, the U.S. Securities and Exchange Commission (SEC) proposed new rules in 2022 for public companies that, among other things, would require disclosure about the cybersecurity expertise of board members as well as the "board's oversight of cybersecurity risk and management's role and expertise in assessing and managing cybersecurity risk and implementing the registrant's cybersecurity policies, procedures and strategies."

What's more, the cost of a data breach has skyrocketed. According to a 2022 IBM report, the average cost of a data breach in the U.S. is more than $9 million. If that's not troublesome enough, cyberattacks also can result in data loss, downtime, a damaged reputation and customer churn—all of which affect a company's ability to operate as well as its bottom line.

Given this confluence of factors, many boards are navigating unfamiliar territory as they work to find directors with cyber experience who can help manage risk. Here are a few suggestions to help companies' board directors and C-suite along their journey of security and resilience.

Shift Your Mindset

For too long, boards and members of senior leadership have generally dismissed cybersecurity because many of them viewed it as a cost center and business inhibitor rather than a business enabler. It comes down to educating the board and senior leadership on the inherent risks of being cyber complacent.

Companies adopting this mindset typically do what is required to check the box on the compliance front but fail to put security and resilience strategies in place until they're forced into action by a cyber incident. By then, it's too late.

Similar to other data loss events such as hurricanes and data center outages, cyberattacks are a predictable problem. It's no longer a matter of if a business will be hit but when. In this new reality, board members need to view cybersecurity through a new lens. A strong cybersecurity posture is a powerful way to ensure business resilience in the face of any type of data loss event.

Identify The Crown Jewels

With this new mindset, the organization can start getting proactive about cybersecurity and resilience. However, it's important to note that the attack surface of a company has grown considerably with the cloud, bring-your-own-device trend, work-from-home movement and other digital transformation initiatives that it's now impossible to protect everything within an organization.

To make things more manageable, board members should work with IT and security teams to identify the assets—data, systems and processes—that cybercriminals are most likely to target, allowing the organization to focus on protecting those first.

Put A Plan In Place

With a newfound understanding of the most critical assets, board members can determine their appetite for risk and work with senior leadership as well as the IT and security teams to implement security and resilience strategies accordingly.

Plans should be based on the company's current IT and business landscape. They should include processes to address weak points in the organization's security posture as well as basic technologies such as identity controls, multifactor authentication, vulnerability management, anti-malware, patching, encryption, application whitelisting, monitoring, network segmentation and data loss prevention.

The more processes a company has in place, the greater the risk. Threat actors rely on organizations not keeping tabs on the sometimes hundreds of processes that go unchecked and unmanaged, making them a gateway into an organization.

Enforce Governance

Ensure security teams implement monitoring and benchmarks in order to keep tabs on how cybersecurity and resilience plans are performing, how they may need to be adjusted to align with changing business demands and security threats and how they are enabling the business with secure operations.

Learn From Every Incident

Even with strong cybersecurity and resilience plans in place, no company is immune from cyber risk. If a cyber incident happens, instead of playing the blame game, take it as an opportunity to improve the business. Gather all stakeholders involved, assess what went wrong and determine strategies to prevent it from happening again. Every incident, good or bad, should be a part of your incident response playbook.

Cyber risk is a business risk that board members can't afford to take. From evolving the way leaders view cybersecurity to ensuring IT and security remain integrated with the business to providing oversight on tools and processes that will mitigate risk, boards have the opportunity to pave a path of resilience. When a company is able to stand up to any cyber event, security transforms into a business driver—and growth is the ultimate goal of every board.