Publication Date: January 4, 2017
This is the second of a four-part series of white papers authored by Cybersecurity expert John Reed Stark. This series -- published for the first time on Nasdaq’s Governance Clearinghouse --outlines a strategic framework for boards of directors to effectively analyze and supervise corporate cybersecurity risks.
Companies can invest heavily in top-of-the-line security software and state-of the-art systems, but without the proper approach toward their IT employees, those efforts will be for naught. This article focuses on a board’s cybersecurity oversight pertaining to a company’s most important cybersecurity resource (and threat): its employees.
Given the tumultuous risk associated with cyber-attacks, boards of directors and C-suite executives must address cybersecurity not as an IT issue, but rather as an issue of governance. Boards and C-suite executives should establish a cross-organizational team that regularly convenes to discuss, coordinate and communicate cybersecurity issues and is supported by outside cybersecurity response firms and law enforcement agencies.
This paper provides an overview of cybersecurity governance areas that involve people, including:
- Cybersecurity recruitment and retention
- Top-down commitment to cybersecurity
- Employee cybersecurity training programs
- Digital forensics/data breach response firms
- Law firms specializing in data breach response
- Pre-breach law enforcement liaisons
The first paper in this series provided an overview of the critical components related to the governance practices, policies and procedures of a strong cybersecurity program. The remaining papers in this series will broadly cover the following topics:
- Technology: the technical systems that provide the foundation for cybersecurity infrastructure.
- Data Mapping and Encryption: the board’s oversight responsibilities with respect to two of the largest enterprise undertakings in the field of cybersecurity: encryption and data mapping.
By using these white papers as a guide, boards of directors can become not only more preemptive in evaluating cybersecurity risk exposure but they can also successfully elevate cybersecurity from an ancillary IT concern to a core enterprise-wide risk management item.
Read John Reed Stark’s White Paper on Top Cyber Security Concerns for Every Board of Directors: People >>
Read John Reed Stark’s White Paper on Cybersecurity Governance >>
John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, "The Cybersecurity Due Diligence Handbook," available as an eBook on Amazon, iBooks and other booksellers.