Instructing Boards of Directors in “cyber” -more accurately, in matter of their accountability for overseeing “cyber”- has, very likely, several ways to be met; and, in them, different factors and actors may participate.
The most efficient of such methods -the most painful, too; without meaning that it should be bound to the discipline of a specific instructor- is the one that makes the Board, and its members, suffer in their own flesh the consequences derived from a cyber risk (failure, negligence, attack, …) substantiated on the information/operational systems supporting their organization’s business. Examples of this abound, and are growing in number, as it shows the list of names that have been mentioned, so far, in this column.
An alternate pedagogic treatment, less drastic for directors and in which a specific instructor -YOU- would have her own role, is that in which, as operational responsible for the cyber protection of your organization, YOU should be in charge of educating the members of your BoD on the matter. We have insisted on it, today there is room enough for you to fill this position of councelor and guide (not necessarily meaning it that you join the BoD). For the benefit of your organization, let us be happy having “cyber” onboard of the Board’s agenda, despite staying you outside. It [having you onboard, too] should not be the ultimate goal!
Nonetheless, having “cyber” as part of directors’ agenda will require, not only that you are able to give them the correct answers, in the correct language, etc.; but, first of all, that they know to ask the correct questions, too. And they should do it regularly and insistently. It would be worthless if their interest faded after the first interrogation.
No doubt, questions like the ones we are featuring today (issues derived from interconnecting corporate information systems with industrial control systems; frictions between IT and OT; or the adoption of IT security thesis to protect ICS) should be part, not only of your concerns as subject matter expert, but of those of your directors, in order to make them to understand what the actual difficulties are and to help you in overtaking them, by setting appropriate game rules and giving you authority and resources accordingly.
Deepen these and other topics in our weekly "Newsletter". Subscribe here and enjoy reading!
PS: Naturally, our congratulations go to Ane and Sergio. ;-)