Cyber risk top 5: What every board should know

Boardrooms, centers of strategic leadership and decisive action, are navigating a period of unprecedented transformation. The convergence of rapid technological advancements, AI-driven disruption, an ever-evolving cybersecurity landscape, and a dynamic regulatory environment presents a unique set of challenges — and opportunities.

Yet boards of directors are now on the hook for many cybersecurity risk management and governance decisions, a big change thanks in part to new rules from the Security and Exchange Commission (SEC) that took effect this year. The recent guidance from the SEC follows growing concern about operational resilience, and the ability for organizations to prepare for and recover from a cyberattack.

More business leaders (38%) than security leaders (33%) told us in a 2023 survey that cybersecurity is their top risk concern, which contradicts a widely-held view among security leaders that business leaders don’t appreciate the risk of cyber-threats to their organization.

This concern is also reflected in Proofpoint’s 2023 board of directors poll. They found that cybersecurity is a high priority for boards, boards understand the threats their organizations face, and resources have been adequately invested in cybersecurity, said more than 70% of surveyed board members.

At Google Cloud’s Office of the CISO, we see a convergence of concerns from boards of directors, CISOs and business leaders. As part of Cybersecurity Awareness Month, we’re emphasizing the need for boards to take time to learn about security and digital transformation to better manage the risks that their organization faces. We firmly believe that more board awareness of the specifics of their organization’s security posture, and more board involvement in cyber risk-management decisions, can lead to more resilient outcomes for all.

To that end, we’ve collected the top five board-level security considerations from our Perspectives on Security for the Board report series.

1. Board engagement on AI and cybersecurity: We’ve already begun to see the impact that AI will have on cybersecurity. To maximize the benefits of AI technologies and minimize risks, we recommend that boards work with their CISOs, technology, and business leaders on three main security and AI vectors.
   
   First, boards should understand how their organization plans to deploy secure AI systems. Then, they should work with their CISO to understand how best to use the power of AI to achieve better cybersecurity outcomes at scale. Finally, boards can help anticipate threats by working with their CISO to stay informed on AI developments. Read the report.
   
2. How boards can help cyber risk oversight: There are many complexities to consider when addressing cyber risk, including government-led mandatory minimum cybersecurity standards. These make the risk-calculus more nuanced, but not an impossibility.
   
   From the board perspective, cyber risk is best understood and managed through the lens of overall business risk. To do so requires effort to integrate cybersecurity and resiliency into business strategy, risk management practices, budgeting, and resource allocation. Read the report.
   
3. Board-ready crisis communications: In the middle of a cyber incident, crisis communications can be a lifeline to continuity of business efforts. To do so requires training the organization before an incident on how to communicate quickly and effectively with stakeholders, customers, and the wider public during a cyber-crisis.
   
   The board’s oversight position gives it unique insights into both technical defenses and crisis communications strategies. This integration creates a better foundation to safeguard your organization’s digital assets and reputation, and can also help maintain and possibly even improve trust. Read the report.
   
4. Optimizing insurance protection through collaboration: Cyber insurance can help organizations recover from cybersecurity-related disruptions to their business caused by data breaches, ransomware, and other types of cyberattacks. These tips can help streamline the process of right-sizing your organization’s insurance needs.
   
   Much of the analysis and approach required to develop a robust cyber insurance strategy overlaps with the broader approach to managing cyber risk. Organizations should ensure that the two processes are integrated, rather than operating in parallel. For comprehensive cyber risk management, the board should facilitate cooperation between the CISO (focused on technical aspects) and Finance (focused on financial impacts). Read the report.
   
5. Psychological resilience in cybersecurity leadership: The stresses CISOs and their teams face take a psychological toll, and can lead to poor decision-making and burnout. The constant stream of new threats, the knowledge that even the strongest defenses can be breached, the impacts of tight budgets and staffing on security decisions, and communicating crucial security risks with senior executives, all can create immense psychological pressure.
   
   While these burdens can make CISO teams feel isolated and unsupported, they do not exist in a vacuum. We recommend that boards and executives assign a high priority to the psychological resiliency of their CISO and security team, as a core component of their overall business strategy. Read the report.

The role that boards of directors must play in cybersecurity and operational resilience has never been more important, as Kevin Mandia, founder of Mandiant and Google Public Sector board member, said in his RSA Conference keynote this year.

“Boards are there to provide oversight to companies, and we are seeing that that oversight has been mandated and we have to communicate it. Between emerging sovereign data laws, privacy laws, cybersecurity standards, legislation, and regulations, boards are motivated to get engaged and stay engaged,” he said.

For the latest Google Cloud guidance for boards, including blogs, reports, videos, and contact information, please visit our Board of Directors Insights Hub.