As for CEOs, they need to work more closely with their boards to plug them into the organization’s data breach and incident response playbooks. “The board needs to be drilled, practiced, and fully aware of the risk so that when it happens, they have the muscle memory and communication ability to deal with it,” OliverWyman’s Mee says. “Because without that, it’s going to go bad fast.”
Boards, for their part, appear to be coming up the learning curve quickly. “Increasingly, boards take this seriously,” Mee says. “I interact with a lot of boards. Cybersecurity is consistently a top-three item. AI is probably top of the list right now for boards. But cybersecurity is too important a topic and has gained greater visibility in front of boards than ever before.”
As CEOs and boards move forward, it should be clear that the data breach buck stops with CEOs and not CISOs and their security teams. “In the past, you’ve put an awful lot of burden of protection and de-risking on an individual who may have been cut from a different cloth and may also not have the power, influence, and governance ability to influence the change needed for security,” Mee says.
