The rapid shifts that companies have made during the pandemic to keep their businesses up and running – remote work arrangements, supply-chain adjustments, and increased reliance on online platforms – have been a boon to organized crime, hacktivists, and nation states. Cyber attacks of all types proliferated during the pandemic, highlighting the far-reaching implications for supply chains and operations, as well as the ongoing cyber security challenge facing companies.

Boards have made strides in monitoring management’s cyber security effectiveness – for example, with greater IT expertise on the board and relevant committees, company-specific dashboard reporting to show critical risks and more robust conversations with management. Despite these efforts, the acceleration of digital strategies, remote work and hybrid work models, increased regulatory scrutiny of data privacy and the growing sophistication of cyber attackers all point to the continued cyber security challenge ahead.

The board should be:

  • Expanding the strategic conversation around cyber security to align business goals with security needs (also see priority #1 for more on the board’s role in strategy discussions).
  • Ensuring alignment with management – including CISO (Chief Information Security Officer) – on the security plan.
  • Ensuring their organization’s ability to sustain operations, recover rapidly and manage the consequences when a cyber attack occurs (also see priority #6, the board’s role in reassessing the company’s crisis management plan).

As we’ve noted, data governance overlaps with cyber security, but it’s broader. Data governance includes compliance with industry-specific privacy laws and regulations, as well as privacy laws and regulations that govern how personal data – from customers, employees, or vendors – are processed, stored, collected and used. Data governance also includes the company’s policies and protocols regarding data ethics, in particular, managing the tension between how the company may use customer data in a legally permissible way and customer expectations as to how their data will be used.

Managing this tension poses significant reputation and trust risks for companies and represents a critical challenge for leadership.

To oversee cyber security and data governance more holistically:

  • Insist on a robust data governance framework that makes clear how and what data are being collected, stored, managed and used, and who makes decisions regarding these issues.
  • Clarify which business leaders are responsible for data governance across the enterprise, including the roles of the chief information officer, chief information security officer and chief compliance officer.
  • Reassess how the board – through its committee structure – assigns and coordinates oversight responsibility for both the company’s cyber security and data governance frameworks, including privacy, ethics and hygiene.