A big challenge facing any team trying to deal with OT and ICS cyber risk is getting executive leadership and the Board of Directors support and leadership on this issue. The problems that arise tend to be related to communication styles, understanding of what is truly important to the company, and reducing business risk as determined by the executives and Board.
In this podcast I talk with Thomas Parenty of the Archefact Group about the Board of Directors’ responsibility in business risk management. Thomas works with Boards for a living and has written the book, A Leaders Guide To Cybersecurity.
This podcast includes discussions on:
- Key Item – Approach the Board with a Business Risk approach rather than a technical approach. (with how to know Business Risk, examples and discussion on how to do this)
- Board addressing risk of reputation damage due to a cyber attack.
- How much cybersecurity expertise does the Board need? Should there be a “Cybersecurity Director”?
- What level of detail does the Board need related to cyber security controls?
- How does one deal with the Board Member who has locked in to a specific control, product or solution that didn’t make sense for the company?
- Could the SEC requiring specific cybersecurity disclosures create regulatory risk that would force the companies subject to these disclosures to take action?
- How is and should a Board of Directors act to deal with COVID-19?
I do chime in with my views more often than a typical podcast as dealing with Executive Management and Boards is something I’ve been doing quite a bit the last five years.
My favorite quote from Thomas:
It is so easy to do good things, but there not the most important things. Or there not the most effective things. Or the money is being spent, but not on reducing the most material risks in the business.
Links
Thomas Parenty’s book: A Leaders Guide To Cybersecurity
Thomas Parenty’s session video from S4x19