Today’s generation of adults has witnessed the nearly miraculous transformation that technology has delivered to society, changing our lives in ways that were once unimaginable even to writers of science fiction. We think nothing of it when we engage in activities our childhood selves would have considered magical, such as making video calls with people from around the world or receiving packages delivered by autonomous aircraft.
Of course, amazing technological advances often come with risks; in our case, our constantly increasing reliance on information systems exposes us to an ever-growing danger that wrongdoers will exploit cyber vulnerabilities to inflict real-world harm such as destroying businesses, undermining liberties, or even endangering lives.
As cyber risks expand, the discussion about how to manage those risks continues to “move up the chain of command.” In the early days of the internet, not only did engineers and first-level managers often establish cybersecurity policies without involving senior corporate management, but CEOs and boards may not have even understood what it meant to connect their businesses to the internet.
Today, corporate boards are increasingly bearing ultimate responsibility when it comes to cybersecurity. Cybersecurity is no longer a technical topic discussed primarily in data centers, it is a critical component of organizational success. CEOs are responsible for managing cybersecurity risk, while directors are responsible for overseeing it, just as they are both accountable for ensuring that the business addresses risks such as accounting or compliance.
Despite a nearly two-decade barrage of news reports of data breaches and other cyber attacks, corporate boards are failing to oversee cyber risk mitigation. This is likely because cybersecurity is a relatively new and rapidly changing risk for businesses, and time-tested best practices have not yet been established. Even more fundamentally, it is against human nature to mitigate cyber risks.
Over thousands of years, our survival instincts have evolved to protect us from visible threats like fires and dangerous predators, and now, our bodies and minds are not naturally optimized to “feel” the threat of hackers sitting 8,000 miles away. As I have said over the past 20 years: Humans are the achilles heel of cybersecurity — never underestimate the impact of human biology upon cybersecurity.
Of course, I’m not saying that boards ignore cybersecurity. Today, most directors are aware of the importance of cybersecurity and committed to ensuring that their management teams properly mitigate cyber risk. Boards regularly encourage senior management to allocate steadily increasing budgets for cyber defense; however, despite such commitment, many boards still lack the knowledge and experience to meaningfully oversee cybersecurity. Boards want to do what is right; they just don’t know how to.
