Boards need IT specialists now more than ever

The top cyber threats organizations are vulnerable to are:

• Ransomware attacks
• Email fraud and business email compromise
• Cloud data breaches
• Software supply chain attacks
• Disruption of services attacks
• Malware attacks

The risks presented by AI

As we enter 2025, we are beginning to identify clear risks to organizations associated with AI technologies’ external and internal adoption. Cybercriminals have been the first to recognize the potential of generative AI. This technology is sophisticated, with algorithms that simulate the learning and decision-making processes of the human brain. Generative AI can create many types of content, including text, images, video, speech, artwork, data simulations and software code.

External risks to organizations from this technology include producing deep fake images, video and audio, more sophisticated phishing emails, false data and reporting, fake news and code hacking. AI technology facilitates cybercriminals to intensify their activities by reducing the time and technical knowledge needed to conduct their attacks.

Organizations fail to identify and mitigate the risks of using AI technology.  As AI technologies and software are being adopted formally and informally into workplace environments, the potential for breaches of confidential data, sensitive commercial material and intellectual property caused by employees inadvertently sharing information with open-source AI platforms like ChatGPT or Google’s Gemini is significant. Employees might input confidential information, such as financials, to generate reports or analyses, often without realizing that unauthorized individuals could access this data.

The financial and legal implications

For organizations and boards, mitigating technology and data risks is more than meeting the data and privacy legislation relevant to their location, governments, or industry. Boards must protect the interests of all stakeholders and consider their liability. In some jurisdictions, board members may be held personally liable if they do not exercise reasonable care and due diligence.

If an organization fails to protect stakeholders, regulators may enforce its legal powers, and victims will seek compensation. Organizations may also face a class action from shareholders and customers, which could ultimately cost millions of dollars in legal fees, settlement payouts, plus loss in sales and reputation.

In the US and Canada, class actions against corporations following breaches of sensitive personal and business data are increasing. In the last decade, numerous well-known organizations have faced consumer class action lawsuits for violations of data privacy laws. The settlements in data breach class actions have reached well into the millions: Home Depot ($200 Million); Capital One ($190 Million); Uber ($148 Million); Morgan Stanley ($120 Million); and Yahoo! ($85 Million).

Class actions aside, data breaches are financially destructive. The IBM Cost of a Data Breach Report 2024 estimates the global average cost of a data breach at US$ 4.4 million. Costs add up, and so does the pressure on the board, with the average time to contain a breach after detection in 73 days.

Boards must incorporate IT specialist’s skills

The Cybersecurity: The 2023 Board Perspective Report found that 73% of board members globally believe their organisation faces a significant cyberattack risk. Of these, 53% think that their organizations are underprepared to cope. There are concerns that current economic issues may be taking precedence and that some board members no longer see cybersecurity as the day-to-day issue it was during COVID.

Boards will be increasingly exposed, legally and reputational, if they are not making decisions to mitigate cyber risk. They must be prepared to communicate any breaches to stakeholders effectively if and when they occur. To do so, they must have IT specialist skills represented on their boards.

Completing a board skill matrix will identify gaps in skills and competencies in cyber risk and IT. The organization must then determine the best way to fill any gaps identified. This may be possible via the upskilling of a current board director, but it is most likely that they need to appoint a new board director (internal or external) with the required specialist IT skills. Gaining these IT skills is essential and should be prioritized over more common skills such as finance and governance.

If organizations cannot appoint or find an IT board member within a reasonable time, another option is to establish an IT advisory committee or engage an experienced external IT cybersecurity consultant to report directly to the board.

For those seeking Board Roles

If you are an IT specialist, you are in the box seat and need to pitch yourself accordingly. When preparing your board pitch, board resume and LinkedIn profile, ensure you articulate your specialist IT skills and their value at the board level. Look for board roles where you may not tick all the boxes but can identify how your IT skills are valuable to that board and the organization. Your IT expertize and insights should, now more than ever, take precedence over some of the conventional attributes that a chair seeks when selecting a new director. However, don’t take it for granted that this will be readily apparent to them. You must clearly define their risks and demonstrate how your skills can provide valuable solutions.

If you are not an IT specialist, you should consider gaining and keeping up with IT knowledge, particularly in cyber security. I believe more boards will seek IT specialists or directors with IT knowledge. So, instead of investing your time and money in governance courses, consider courses and certifications in IT, risk management and cyber security.

Related Articles

What are the selection criteria for independent board members?

Articulate your way to a Board Seat with a powerful Board Value Position