Closing the Knowledge Gap: Empowering Non-Technical Executives

In an increasingly digitized world, educating boards of directors on cybersecurity becomes essential. Boards of directors must understand their pivotal role in protecting organizations against cyberthreats and making informed decisions in this domain. 

It is crucial for C-suite executives to bridge the knowledge gap and actively engage in cybersecurity strategies. “Cybersecurity is one of the most dynamic areas in technology. It changes significantly from year to year,” says Leticia Gammill, Founder and President, WOMCY. Recognizing the significance of learning, CEOs should prioritize it within the organization and for themselves. This parallels the shift that occurred three decades ago when companies appointed chief data officers to manage increasingly important data, a key to the business’ success. 

However, many wonder how to adequately involve boards of directors in this crucial domain. WOMCY supports this cause by developing programs to increase the talent pool in cybersecurity and promote the presence of women in this field. 

Gartner forecasts that by 2025, 30% of boards of directors will have cybersecurity committees. Furthermore, there is a shift in the current mindset, with many boards of directors forming specialized committees to discuss cybersecurity issues in a confidential environment. 

Organizations often struggle to understand the role of the board of directors in cybersecurity and its level of involvement in this realm. According to the Diligent survey "What Directors Think," board members ranked cybersecurity as the most challenging issue to oversee, surpassing digital transformation, innovation, new technologies and capital allocation. This demonstrates a growing awareness of the importance of addressing cyber risks from the top of the organization.

The board of directors is responsible for making key decisions for the company, driving its strategic direction and overseeing resources and investment areas. Their existence lies in ensuring that resources are directed correctly toward the organization's growth. In addition to these responsibilities, they must address cybersecurity as an integral part of their business management strategy.

Boards of directors must address critical decisions related to cybersecurity, including determining when an attack could occur, assessing the organization's readiness to detect and stop it and mitigating its effects to return to normalcy as fast as possible. Directors must also understand the risks associated with the company's reputation and business disruption.

To effectively address cybersecurity, boards of directors must consider some fundamental principles, such as making cybersecurity easy to understand, closely aligning it with the business, considering it a responsibility of all organization members and fostering motivation toward cyber protection.

Directors should define a clear plan and be prepared for an eventual cyberattack. To do so, education of board members is key, as it enables them to make informed decisions regarding cybersecurity. "Proactive education of board members is essential to mitigate cyber risk in an organization," says Gammill.

Comprehensive education goes beyond data protection; it also addresses risks to reputation and business continuity. It is also important to adopt a zero-trust policy and stay informed about new laws and policies that may influence the organization's cybersecurity strategy. Furthermore, engaging experts and establishing formal education programs for directors can make a difference in preparedness and response to cyberthreats.

The board of directors must take responsibility for overseeing cybersecurity risks. This entails defining the organization's risk tolerance and conducting formal annual reviews. Moreover, it is crucial to create and implement practical tests rather than leaving strategies only on paper. This will ensure that the organization is prepared to identify and mitigate risks in an ever-evolving cyber environment.