The future of every established company usually lies in the hands of its board of directors. It is the duty of the board to investigate mitigating company risk in every form and inform their shareholders accordingly. When there are financial anomalies, investors hold the directors and the financial team accountable. Similarly, it is applicable for data security breaches too.
In 2013, there was a very public breach that took place at the Target Corporation. The Institutional Shareholder Services demanded that seven members from the board be voted off due to lack of accountability. In 2014, taking into account rising cases of fraud and financial irregularities, the Federal Financial Institution Examination Council initiated a programme on information security guidance to achieve greater levels of maturity in the system. In this maturity model, the Board of Directors or committees are required to bring in more visibility and clarity to the position of data security.
The Rise of Data Security
No company today can confidently say that they are at a zero risk of a security infringement. There are some companies that are at a much lower risk than others but every company stands in danger of their confidential information being hacked. This is why company directors need to take a closer look into their risk profile and how can they protect their company from hacking and data loss and its aftermath.
Although Securities and Exchange Commission levies fines against organisations for information security oversights, it is still trying to find the equilibrium between emblematic and penal fines.
Knowing One’s Risk Appetite
With the rise in board level visibility, company directors are now issuing risk appetite statements,as the basis for data security programmes. Under this program, directors will re-examine the annual risk self-appraisal and measure results of the management to rate and apportion funds to address the outcomes of the evaluation. This means, here is a fundamental rationale by which the company directors can have direct visibility into the company’s cyber security stance and initiate attempts to connect that stance to reformation goals. These recommendations were released in late 2015 for all CEOs and Board of Directors.
Reviewing Risk Management
The practice of dealing with threats and their disclosure is known as risk management. It is not the same as risk elimination as eliminating risk entirely can be an unrealisable goal in today’s technological era. Dealing with risks begins with comprehending the environment of threats and understanding how the company and its’ data is vulnerable to it.
The responsibility of company directors for security breaches will continue to advance. Companies can no longer afford to blame the IT department or replace the technology officer after a security breach. At the end of the day, the responsibility of hiring the IT department or the manager in charge lies with the company directors. Understanding data security risk and its mitigation options will continue to be an ongoing process for which directors will be more than just enlightened spectators; they will now be held accountable for data breaches too.
The threat to data security is highly complex and a massive challenge for every organisation, unfortunately one that is likely to grow. Every business must have the appropriate compliance and management processes and adopt the right data security measures to protect classified data. For organisations to achieve the aim of being wholly protected, they must consider developing a data security risk management model to help them understand the risks they stand against, based on the assessment and management of those who have data ownership.
Such systems must ensure that every organisation:
- Is able to recognise, measure and supervise cyber security dangers
- Instils efficient and protected data management customs and opinions
- Enforces and sustains relevant network controls, including conventional and precise security steps
At the end of the day, effective data security is the responsibility of the entire organisation. With the help of active collaboration between departments, data controllers, IT security and every user in an organisation, effective data security measures can become successful. Additionally, active collaboration between organisations, third-party vendor’s associates, government bodies and the industry can help in keeping abreast of the rapidly evolving threat while enabling institutions to organise and safeguard themselves. By accomplishing an efficient and balanced approach to dealing with data security, organisations will be able to preserve internal and external confidence while continuing to develop their core capabilities and achieving profitability securely and steadily in the digital age.
Management must consider how they impart awareness and training of data security practices and responsibilities across the organisation. This could range from requiring employees to understand the terms and conditions of using sensitive data through awareness and instructional programs held periodically in the company.