For Boards of Directors (BODs), this requires developing new ways to carry out their fiduciary responsibility to shareholders, and oversight responsibility for managing business risk. Directors can no longer abdicate oversight of cybersecurity or simply delegate it to operating managers. They must be knowledgeable leaders who prioritize cybersecurity and personally demonstrate their commitment. Many directors know this, but still seek answers on how to proceed.
HBR has posted a sensible write up on cybersecurity question – how do you assign responsibility? Ideally, there should be a component of IT directions in the leadership team. There should be clear protocols on layers of defence. Like every structured document, there are a list of best practises under the NIST Framework (recommended in the write up)
Here’s something instructive:
If a ransom is sought, what is our policy about paying it? Although the board is not likely to be part of the detailed response plan itself, the BOD does want to be sure that there is a plan. Which executives and leaders are part of the response plan? What is their role? What are the communications plans (after all, if systems are breached or unreliable, how will we communicate?). Who alerts authorities? Which authorities are alerted? Who talks to the press? Our customers? Our suppliers? Having a plan is critical to responding appropriately. It’s highly unlikely the plan will be executed exactly as designed, but you don’t want to wait until a breach happens to start planning how to respond.
All of this assumes more importance for the healthcare. The extent of breaches (and consequences thereof) are critical to ensure “business-continuity” and patient care. Always keep the pen-and-paper handy. It should be kept in parallel and not allowed to get into redundancy.