Corporate Boards Placed on Alert to Escalating Document Security Risks

The NACD held a meeting to discuss information security issues facing business leaders. Secure collaboration should be a priority for organizations.

4 May 2015


Last week, the National Association of Corporate Directors (NACD), an industry association advocating for the interests of Board members, held a special meeting in Washington, D.C. to discuss information security issues facing business leaders. The conversation was bleak, with the NACD arguing that corporate directors’ mindsets regarding cybersecurity needs to fundamentally change. According to a NACD blog post, one participant at the Global Cyber Summit noted, “We have to go from ‘is it possible we’ll be attacked?’ to ‘it’s probable;’ from ‘how much does it cost?’ to ‘how much should we invest?’; and from ‘can we control cyber threats?’ to ‘how can we keep pace?’”

Fear of cyber-attacks has corporate directors on edge, and for good reason. PwC reported that 2014 saw over 42 million detected security incidents, up an astonishing 48 percent from the previous year. According to CIO magazine and law firm Akin Gump Strauss, cybersecurity oversight is the second most important topic for Boards in 2015 — just behind strategic planning. And it’s not just financial services firms or regulated industries that are concerned — everyone considers this critical.

What should a Board do, and how can CIOs and CISOs educate Board members? On its blog, the NACD suggests these five “boardroom imperatives”:

  1. Cybersecurity is a business risk — Organizations often equate security to technology, and this is usually a mistake. Directors should ensure that the company is properly structured to respond to an attack and has plans for both breach prevention and response to data loss.
  2. Pinpoint critical assets — A perimeter defense strategy that attempts to protect the entire enterprise isn’t possible. Pay special attention to assets and data that have high intrinsic value, or regulatory and compliance sensitivity. Understand how these special assets can be given the highest protection.
  3. Invest in IT systems and teams — Data security is an investment in the company, not a cost center. The NACD noted a significant rise in the number of Chief Information Security Officers (CISOs), and a growing recognition that cybersecurity is largely a human issue. Education can be the most effective tool in preventing data breaches.
  4. Have a jargon-free discussion about the business issues — The often complex, technical issues that surround a data security discussion can discourage open debate of the issues, and hamper decision making. NACD members reported that this can create barriers that prevent a frank assessment of the problems, and the remediation that needs to take place.
  5. Include cyber into strategic decision making — Data protection and security should be part of the front-end of business decisions: strategy, legal, and financial. Proactive protection should permeate the business.

Boards struggle to deal with these security issues for two reasons.

  1. First, the complexity and sophistication of cyber threats has escalated dramatically — traditional boundaries and lines of defense no longer work. Firewalls and identity management are no longer sufficient defenses. Additionally, the impact of data loss is escalating beyond business disruption to include significant corporate risk, regulatory exposure, and brand damage.
  2. Second, competitive pressures to deploy relatively cost-effective or free, “consumer” technologies are increasingly thwarting the attempts of CTOs and CIOs to control and govern how corporate information is managed. Secure collaboration should be a priority.

However, what’s clear from the NACD is that adequately protecting company documents is a universal concern, shared by organizations of all sizes and industries. It’s time for all organizations to put information security first.

Todd Partridge

Todd Partridge

Todd Partridge is Vice President, Product Marketing at Intralinks. He has broad industry experience in the enterprise information management (EIM) space, with deep expertise in all trends and technologies related to information governance, enterprise content management, document management, web content management, business intelligence, team collaboration, e-mail management, and enterprise records management practices. In his previous role at OpenText, Todd held several global positions ranging from sales, marketing, product management, positioning and strategy.