Recently, there have been more reports of hacker attacks in Switzerland (March 2016). In this context, the discussion arises for the first time as to whether safety experts should not be delegated to the Board of Directors. So the question is: Does it make sense to assign a highly specialized activity to a board of directors that generally has little to do with the company’s core business?
In my opinion, this approach is only worthwhile if the company sees information processing as its core business. An example in which this would certainly be appropriate would be with online-only retailers. Such companies should definitely consider bringing on board a board of directors with a background in information security. On the other hand, the job profile of the board of directors must be designed in such a way that security is only a partial task. One must be able to assume that the Board of Directors is an active member and also cares about others. can take care of strategic issues, for example. Pure security experts usually do not bring this competence with them, unless they are or were active as entrepreneurs. If neither of these conditions are met, then it makes much more sense to shift safety tasks to the operational level. The requirements of the Board of Directors on the subject of risk can also be met in other ways. The Board of Directors may seek external as well as internal advice in this regard. However, in the spirit of separation of powers, I believe that it would be more appropriate for the Board of Directors to appoint an advisory board to advise it on these matters.
Not to forget the fact that many security experts come from a technical background. It is of little use for a board of directors to have discussions with a former system programmer who worked exclusively on the level of bits and bytes. This may be useful when it comes to awarding contracts to highly specialized security companies. The board of directors should be concerned about the risk landscape and be able to assess what overall risks are associated with information processing. And hacking attacks represent only a very small part of the real threats. In this respect, even former military personnel are hardly suitable as VRs.
However, another issue is in the foreground for me: THE IMPORTANCE OF HACKER ATTACKS IS MASSIVELY OVERVALUATED (cf. the article on“Common misconceptions in Infosec“)! This is because most companies do not have their IT sufficiently under control. The majority of successful attacks are only possible because IT is not managed properly (keyword: IT governance). Before someone appoints a board of directors exclusively for protection and security, one would have to be able to assume that the company has its IT, or information processing, completely under control. However, this is true for less than 5% of all companies! First and foremost, therefore, the principle applies: get a grip on information processing and IT first. This also includes sensible (IT) security management.
As a normative body, the board of directors has the task not only of keeping an eye on the risks of new technologies, but also of exploring the opportunities and actively bringing them into the company. A digitization strategy should be part of the board agenda in almost every company today. At the same time, the Board of Directors also has a duty to follow up and monitor the implementation of these initiatives. Today, it is no longer enough to delegate these tasks to IT or leave them to management. Because of its full accountability, the board of directors does well to actively engage with these initiatives -> information-governance.
With the increase in digitization and the strategic importance of these projects, the Board of Directors has an increasingly important role to play. While IT topics used to be on the fringe agenda of a board meeting at most, digitization initiatives are now everywhere. Depending on the importance of the information in the context of the core business or in dealing with regulatory requirements, the board of directors may need to actively address it. This on the one hand as part of its risk management activities, and on the other hand as a task to promote strategic development.