Is It Awareness Or Indifference?
Everyone is trying to figure out what will it take to have corporations take cyber attacks seriously and many believe the problem is failing to get the proper cyber risk information to the Board of Directors (BoD). After all it is the job of the BoD to protect the company against all types of risk. However, cyber risk (and privacy) has always been this fuzzy thing, talked about in technical terms, not really given the time or effort of really understanding what it means or how it may effect the compamny. 15 minutes at the board meeting by the CIO and CISO and that’s it.
However, I have been hearing about the need for BoD engagement for at least 10 years, so how much time must go by before BoD’s actually take the time to understand cyber and privacy risk? Supposedly, individuals that are lucky enough to serve as a Director are some of the best and brightest in the country so it is not a matter of intelligence? Or indifference?
I know I am being a bit harsh and tough, but really how long is the “it’s too hard” excuse last? BoD’s owe it to themselves to get educated by bringing in the subject matter experts necessary to get and keep them educated. Because as the headlines show, cyber security and privacy risk are not going away.