By J. Yo-Jud Cheng & Boris Groysberg
Among the greatest challenges facing corporate boards today is one for which directors feel least prepared: cybersecurity. Yahoo’s disclosure in December of what could be the largest data breach in history was hardly an isolated incident. Indeed, the Guardian newspaper dubbed 2016 the “year of the hack.”
In previous research we found that cybersecurity ranked as a top political issue for corporate directors, trailing only the economy and the regulatory environment. But directors are failing to connect the pervasiveness of cyberthreats with their companies’ vulnerabilities.
Directors feel that they lack not only the processes but also the expertise to address cyberthreats. That was our finding in a survey of more than 5,000 directors in over 60 countries, conducted in partnership with WomenCorporateDirectors Foundation, the consulting firm Spencer Stuart and independent researcher Deborah Bell.
One director told us, “There is too much responsibility placed on boards to oversee areas they don’t have much experience in: i.e., cybersecurity.”
Boards neglect cybersecurity at their peril. An IBM study estimated that the average cost of a data breach is around $4 million. Cisco, in another study, noted that targeted companies suffer substantial losses of revenue, customers and business opportunities.
Hack attacks can’t be viewed as abstract external threats. Directors have to take ownership of these risks. The topic should be discussed regularly in all board rooms, regardless of industry, region or company size.
Boards can take concrete steps to prioritize cybersecurity issues. One survey respondent suggested that directors start by “asking questions and determining whether appropriate processes are in place.”
Directors can hold executive managers accountable by making cybersecurity debriefings a regular agenda item at board meetings. They can also advocate for investments in data security and infrastructure within their organizations, and encourage management to bring in external experts if needed. Boards can bring in their own experts, too, either as consultants or as full board members.
J. Yo-Jud Cheng is a doctoral candidate in the strategy unit at Harvard Business School. Boris Groysberg is a professor of business administration at Harvard Business School.