It’s time for boards to seek IT specialists, even if they don’t tick the traditional boxes

Board members have fiduciary and oversight responsibility for the organizations they serve. That now includes understanding the cybersecurity threats and risks facing their organizations and leading the implementation of strategies for their organizations to mitigate the risks. If a board lacks the IT knowledge to perform this role, it is time for the board to seek IT specialists. Ideally, they need to appoint a skilled IT specialist as an independent board director, even if this means selecting someone they would traditionally be overlooked because they did not tick all the boxes.

Increased risk and increased Cyber Attacks

IT is an integral part of an organization, regardless of size and business model. For some, the adoption of new software, technology and business practices was expedited by COVID. Staff were forced to work from home, using personal devices and networks. Cash was replaced with digital transactions. Meetings, negotiations, and sales had to occur online rather than face-to-face. Organizations had no choice but to act fast and adopt new technologies, apps and software to survive. Most organizations lacked the time, resources and expertise to thoroughly evaluate any potential risks in implementing these technologies.

With many organizations left vulnerable, the pandemic has seen a considerable increase in the number, sophistication and types of cyber attacks. Unfortunately, smaller organizations and charities are often easy targets because they usually lack the funds and technical expertise to foresee cyber risks and implement adequate systems to mitigate risks.

Check Point Software’s 2022 Security Report highlights the magnitude of COVID on cybersecurity, with organizations reporting an increase of 50% in 2021 from 2020 of attacks on their networks.

The top 8 cyber threats organizations are vulnerable to are:

1. 1. Email fraud (no email protection is 100% failsafe)
   2. Cloud data breaches
   3. Ransomware attacks (increased by 41%)
   4. Software supply chain attacks (increased by 650%)
   5. Denial of services attacks
   6. Malware attacks (steal or destroy data or sabotage systems)
   7. Malicious insider attacks
   8. Smishing – (a form of phishing attack that targets mobile devices)

Class Actions & Legislation

Data security and privacy legislation vary from country to country and even by states within a county. However, there is a commonality whereby if an organization fails to protect consumer and client data, regulators will enforce their legal powers and victims will seek compensation. In the worst-case scenario, organizations may face a class action from shareholders and customers, ultimately costing millions of dollars in legal fees, settlement payouts, plus loss in sales and reputation.

In the US and Canada, class actions against corporations following breaches of sensitive personal and business data are increasing. In the last decade, numerous well-known organizations have faced consumer class action lawsuits for violations of data privacy laws. The settlements in data breach class actions have reached well into the millions: Home Depot ($200 Million); Capital One ($190 Million); Uber ($148 Million); Morgan Stanley ($120 Million); and Yahoo! ($85 Million).

In many jurisdictions, board members may be liable if reasonable care and due diligence are not undertaken. Post-pandemic, directors should now assume that their directors’ duty now extends to include IT diligence and data care.

Organizations need digitally smart boards

At the board level, awareness and education must be a priority, as cyber risks will only continue to evolve and escalate. Boards and board members will be increasingly exposed, legally and reputational, if they are not making decisions to mitigate cyber risk and effectively communicate breaches to stakeholders.

Even with the rising rates of cyber attacks, most board members are confident they understand the threat landscape, have prioritized cybersecurity and have taken sufficient action to keep their organizations safe. Unfortunately, many studies have found this not to be the case, with boards’ primary focus being the bottom line, valuing technology as an operational process that improves business. Most boards lack the knowledge to foresee the true impact of a cyber failure. Even more, boards lack the skills and knowledge required to respond should a cyber incident occur.

The Cybersecurity: The 2022 Board Perspective Report found globally (65%) of board members believe that their organization has made adequate investments in cybersecurity. Unfortunately, the Board members hold this belief because their organization were yet to experience a cyber incident. Any cyber defence is good enough—until it isn’t, and it is only a matter of time before it will be tested.

Boards must become digitally smart to ensure that IT vulnerabilities and threats are identified, mitigated and adequately managed. Organizations need to protect people, data and the bottom line. According to IBM’s Cost of Data Breach Report, For 83% of companies, it’s not if a data breach will happen, but when. With the average cost of a data breach in the US being $9.44M and globally $4.35M, to protect the bottom line, boards must understand how cybersecurity risks can affect their organizations.

It is time for all boards to seek IT specialists

Organizations should complete a board skill matrix to identify gaps in skills and competencies in cyber risk and IT. The organization must then seek an IT specialist to fill the gaps. Depending on the result, when seeking a new director, the board should prioritize required IT skills over those previously seen as essential, including finance and governance experience.

Boards also have the option to upskill the current director. However, new skills are harder to learn with age. With 80% of FTSE 350 board members between 50 and 70 years old, the complexity required to upskill in cybersecurity and IT systems is a daunting task. For most boards, the best option is to appoint an IT specialist board member. They could be an internal appointment, such as the CIO or CTO, but ideally, they should be an independent board director.

Boards should seek IT specialists who have successfully implemented large-scale technology projects. These strategic skills demonstrate board-level capabilities. Previous board experience should not be a requirement. Technology moves fast, and boards can not afford to wait to find a board member who ticks all the traditional boxes.

If organizations cannot appoint or find an IT board member, the board must seek IT specialist advice. Options include establishing an IT advisory committee or engaging an experienced external IT consultant who will report directly to the board.

What does this mean for those of you seeking Board Roles?

If you are an IT specialist, it’s time to sell yourself appropriately. When preparing your board pitch and board CV, ensure you articulate your IT skills and their value at the board level. Apply for board roles even if you don’t feel that you tick all the boxes. Your IT skills should, now more than ever, be of more value and supersede some of the more traditional things a chair looks for when appointing a new director.

If you are not an IT specialist, you should consider gaining and keeping up with IT knowledge, particularly in cyber security. I believe more boards will seek IT specialists or directors with IT knowledge. So, instead of investing your time and money in governance courses, consider courses and certifications in IT, risk management and cyber security.