Paul Bergman

Category: Boards

  • Balancing Budgets and Breaches: The Risky Tradeoff of Cutting Tech Talent

    Balancing Budgets and Breaches: The Risky Tradeoff of Cutting Tech Talent

    Balancing Budgets and Breaches: The Risky Tradeoff of Cutting Tech Talent

    In an era where technology drives competitive advantage, companies are under increasing pressure to cut costs while remaining innovative. Artificial Intelligence (AI) has emerged as a compelling solution, promising automation, efficiency, and scalability. For executive boards focused on shareholder value and margin expansion, it’s easy to see AI as a strategic investment—especially during periods of financial tightening.

    But as organizations accelerate their shift toward automation, many are making a consequential tradeoff: reducing their technical headcount, especially in cybersecurity and IT operations. While this may appear to streamline expenses in the short term, the longer-term implications deserve closer scrutiny.

    Recent examples from major firms like Microsoft and CrowdStrike underscore this trend. Both companies have announced workforce reductions—7,000 and several hundred jobs respectively—while ramping up AI investments (Microsoft Layoffs, CrowdStrike Cuts). For board members, this shift may look like prudent fiscal management—but there’s another side to the story.

    Cybersecurity Staffing: An Unseen Cost

    According to a Dark Reading article, mass layoffs in information security can create hidden vulnerabilities. More than 80% of departing employees take some form of sensitive information with them—either unintentionally or maliciously. This risk grows exponentially when defensive cybersecurity staff are reduced or replaced without a solid transition plan in place.

    Cutting defensive staff may also mean fewer eyes on real-time alerts, fewer team members conducting penetration testing, and longer response times during active threats. AI can certainly assist with detection and automation—but it still needs experienced humans to interpret signals, act with nuance, and make judgment calls in rapidly evolving threat environments.

    Why Boards Feel the Pressure

    From the boardroom perspective, AI can look like a smart play. Technology vendors promise lower long-term operational costs, 24/7 monitoring, and faster throughput. And with capital markets and investors increasingly fixated on profitability and growth, the drive to find cost efficiencies is real. This is particularly acute in tech-heavy sectors where headcount is a large portion of operational spend.

    However, while automation can enhance productivity, it doesn’t eliminate risk. When cybersecurity roles are seen as cost centers rather than risk mitigation investments, the balance can tip dangerously toward exposure.

    A Smarter Path Forward

    This isn’t a call to reject AI. On the contrary, AI is already improving outcomes in areas like phishing detection, log analysis, and behavioral anomaly monitoring. But it works best as a co-pilot—not a replacement—for skilled professionals.

    Boards and executive teams must consider hybrid models that integrate AI with existing human talent. Upskilling employees to work alongside AI, rather than replacing them outright, can preserve institutional knowledge while embracing innovation.

    Final Thoughts

    It’s understandable that companies seek to do more with less. But as cybersecurity threats become more sophisticated and reputational risks grow, the decision to replace experienced defenders with machines should be made with full awareness of the tradeoffs. AI may be the future—but it’s not a substitute for human expertise just yet.

    Let me know if you’d like a LinkedIn version or graphic elements for this article.

  • Elevating Board Performance: Insights and Opportunities

    Elevating Board Performance: Insights and Opportunities

    Boards play a critical role in guiding organizations towards success, but how often do they truly add value? Surprisingly, executive sentiment toward boards is less than stellar, with only 29% of executives rating their board as “good” or “excellent,” according to PWC research. Even more telling, other studies suggest that that 34% of board members feel their boards were either neutral or detrimental to their organizations’ value.

    So how do you add value?

    “The primary job of the board is to get the right CEO. Nothing works without that. With an underperforming or bad actor CEO, it’s really tricky to get anything done because you just don’t have the executive power. So when it comes to hiring a new CEO, take the time necessary. It’s incredibly important.”

    Stuart Roden
    1. Selecting the Right CEO: Stuart Roden from Lansdowne Partners emphasizes the board’s essential role in choosing a competent CEO, as the organization’s success pivots on this crucial decision. The board performance in this will probably be the biggest indicator of success there is.
    2. Encouraging Open Dialogue: “We have groupthink year after year, decade after decade” – Baroness Helena Morrissey advocates creating a “safe space” for dissent and challenge, which is crucial for avoiding the pitfalls of groupthink.
    3. Broadening Diversity: “There are other forms of diversity than demographics.” – Alex Edmans, Professor of Finance at London Business School, suggests that diversity isn’t just demographic but includes varied backgrounds and experiences, enhancing the board’s overall effectiveness.
    4. Iterative Strategy Development: Roger Martin, recognized by Thinkers50 as the world’s #1 management thinker, advises on a collaborative approach to strategy formulation, engaging the board throughout the process.
    5. Focusing on Ethics: “If ethical questions are the reason a large portion of CEOs … are losing their jobs, then [the board] needs to do much more to investigate and evaluate their ethical stance.” – Baroness Dambisa Moyo, board member at Chevron and Conde Nast, highlights the importance of ethical considerations within board decisions, which can significantly impact the organization’s direction and integrity.
    6. Risk Management: Sir Richard Dearlove, former Mi6 Chief, points out the necessity of recognizing and managing both typical and exceptional risks that could threaten the organization’s survival.

    “There’s an established framework of everyday risk,  largely what your risk register covers, which isn’t too problematic. But there is also life and death risk for companies, which is usually on the outside of the framework. So the important thing is for your senior leadership team to understand when they’re looking at something which is on the outside of the framework, not on the inside. And it’s about identifying where the edge of the known risk map is.”

    1. Comprehensive Reviews: Dr. Sabine Dembkowski from Better Boards insists on the importance of thorough and objective board evaluations to foster continuous improvement.

    Special thanks to Oliver Cummings, CEO of Nurole, for his commitment to enhancing boardroom dynamics and for providing these valuable resources.

    Together, let’s strive to enhance our boards, ensuring they not only deliver value but also drive our organizations toward unprecedented success.

  • First 90 Days: From Chairperson to CEO

    First 90 Days: From Chairperson to CEO

    Three months ago, an opportunity presented itself that would significantly alter my professional journey and the trajectory of Lamp of Learning. The board of directors extended an invitation for me to formalize my role within the organization and step into the CEO position. Having served as the Chair for many years, this transition was both an honor and a monumental step forward.

    Reflecting on the first 90 days of this new role, I’ve encountered numerous learning opportunities and challenges. These experiences have not only contributed to my personal growth but have also strengthened the foundation of Lamp of Learning. Here, I share three pivotal lessons learned during this period, which I believe can serve as valuable insights for leaders and organizations alike.

    1. Leveraging the Talent on the Board

    One of the first and most crucial lessons I learned was the importance of taking full advantage of the talent present within our board. While not every board member assumed a leadership role, those who did step up brought invaluable skills and perspectives to the table. This realization underscored the significance of recognizing and utilizing the diverse talents of our team members. By encouraging board members to contribute their unique expertise, we were able to enhance our strategic planning and decision-making processes, leading to more innovative and effective solutions for the challenges we faced.

    2. Distributing Workload to Committees

    Transitioning from a position where I was accustomed to leading every initiative to one where I had to distribute responsibilities was a significant adjustment. Establishing committees with specific deliverables was a strategic move that not only alleviated the workload on my shoulders but also empowered other members of the organization to take ownership and lead. This approach fostered a sense of accountability and commitment among the team, leading to more focused and productive efforts. The committees were instrumental in driving our programs and events to new heights, demonstrating the power of collective effort and collaboration.

    3. Actively Engaging in the Community to Drive Donations

    Another area of growth during these first 90 days was learning how to more effectively drive donations through active community engagement. While this is an aspect I am still developing, the initial results have been promising. Engaging more deeply with our community has not only helped raise awareness of our mission but has also started to make a tangible impact on our fundraising efforts. This experience has taught me the importance of building and nurturing relationships within the community, as these connections are vital in garnering support and resources for our cause.

    Conclusion

    As Lamp Of Learning celebrates its 20th anniversary, I am filled with pride for the progress we have made and the direction in which we are headed. The past 90 days have been a period of significant learning and growth, both for myself and for the organization. The lessons learned in leveraging the talent of our board, distributing workload effectively, and actively engaging in the community to drive donations have been instrumental in our success. I am grateful for the guidance of mentors like Cheri Pierre and James Floros, and for the dedicated efforts of individuals such as Ann Gladys and Susan Zale, who have been pivotal in our achievements.

    This journey has reaffirmed my belief in the power of teamwork, strategic planning, and community engagement. As we move forward, I am excited to continue applying these lessons and to explore new opportunities for growth and impact. The future of Lamp of Learning shines bright, and I am honored to lead this remarkable organization into its next chapter.

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He is also CEO of a mentoring non-profit in San Diego, Lamp of Learning. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • The Imperative for Cyber Talent on Corporate Boards

    The Imperative for Cyber Talent on Corporate Boards

    In an era where digital threats loom large over corporations, the integration of cyber governance within the boardroom is not just a strategic advantage but a necessity for safeguarding shareholder value. A recent study highlighted by David Strom on Dark Reading reveals a compelling narrative: corporations that embrace cyber governance are not just better protected; they’re significantly more valuable.

    The Value Proposition of Cyber Governance

    The study, a collaborative effort between Bitsight and Diligent Institute, delves into the cybersecurity practices of over 4,000 mid-to-large-sized companies worldwide. It uncovers a striking correlation between cybersecurity expertise and shareholder returns over both three and five-year periods. Specifically, companies that have dedicated efforts towards robust cyber governance have created nearly four times the shareholder value compared to those lagging in this area.

    Specialized Committees: The Game Changer

    One of the study’s key findings is the pivotal role of specialized committees in enhancing a company’s security posture and financial performance. Boards that delegate cyber oversight to these committees, particularly those with at least one cyber expert member, are more likely to see improvements in their overall security and financial outcomes. This approach allows for a deeper dive into specific cybersecurity issues, fostering stronger executive relationships and more informed decision-making at the board level.

    A Call to Action for Corporate Boards

    Despite the clear benefits, the study reveals a stark reality: a vast majority of companies have yet to integrate cybersecurity specialists into their boards effectively. Only a small fraction of surveyed companies, including 12% of S&P 500 firms, have such experts on their boards. This gap underscores a critical need for corporate boards to reassess their composition and governance structures to integrate cybersecurity expertise effectively.

    Beyond Compliance: Cybersecurity as a Strategic Asset

    The conversation around cybersecurity in the boardroom needs to shift from viewing it as a mere compliance requirement to recognizing it as a strategic asset. Cybersecurity expertise not only protects the company from digital threats but also opens avenues for revenue creation and operational agility. As the digital landscape evolves, so too should the strategic approach to cybersecurity governance at the highest levels of corporate leadership.

    What Can We Expect?

    The evidence is clear: integrating cyber talent into corporate boards is not just a matter of security—it’s a strategic imperative that significantly enhances shareholder value. As companies navigate the complexities of the digital age, those that prioritize cyber governance within their boardrooms will not only safeguard their assets but also position themselves for unparalleled growth and resilience.

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He is also CEO of a mentoring non-profit in San Diego, Lamp of Learning. He writes on cybersecurity and board management for both corporate and nonprofit boards.

    References:

    Dark Reading: Corporations With Cyber Governance Create Almost 4X More Value

  • Corporate Social Responsibility: An Outline to Meaningful Collaboration

    Corporate Social Responsibility: An Outline to Meaningful Collaboration

    It’s refreshing to see companies stepping up to partner with nonprofits. Usually labeled as Corporate Social Responsibility or CSR, this collaboration not only fosters community spirit but also creates a ripple effect of positive change that can span the globe. Companies, big and small, have a unique opportunity to make a significant impact by aligning with nonprofit organizations. Recognizing the value of giving back to society not only enriches their communities but also enhances their own reputation and employee satisfaction. Here’s a friendly guide on how companies can embark on this journey of meaningful collaboration and why it’s a win-win strategy. 

    Avoiding the Backlash

    Corporate Social Responsibility has become a pivotal aspect of modern business strategy, with companies eager to showcase their commitment to social responsibility to attract and retain customers. Yet, amidst genuine efforts, a concerning trend emerges: numerous firms are merely paying lip service to these ideals. This phenomenon, known as “greenwashing,” refers to businesses that profess environmental stewardship without implementing meaningful actions to support the environment. Similar deceptive practices include “pinkwashing,” where companies claim to support breast cancer research or LGBTQ+ rights superficially, and “whitewashing,” where organizations attempt to hide unpleasant facts, especially in a political context. These labels highlight the discrepancy between corporate claims and actual practices, underscoring the need for authentic and transparent CSR initiatives. Clearly, companies can’t simply make claims that are not aligned with reality or they will suffer backlash.

    1. Identify Shared Goals

    The first step in creating a successful partnership is to identify nonprofits whose mission aligns with your company’s values and goals. Whether it’s environmental sustainability, education, health, or social justice, finding common ground is crucial. This alignment not only ensures a good and harmonious relationship but also amplifies the passion and dedication towards achieving common goals.

    2. Leverage Your Company’s Strengths

    Nonprofits often operate with limited resources and your company’s unique resources, skills, and expertise can greatly benefit them. Whether it’s through providing technology support, marketing resources, or financial assistance, understanding how you can best serve the nonprofit will make the partnership more valuable. Tailoring your support to match the nonprofit’s needs can lead to more effective and meaningful collaboration. 

    3. Engage Your Employees

    Create volunteer opportunities that allow your team to actively participate in the nonprofit’s activities. Whether it’s organizing fundraising events, participating in community service days, or offering pro bono services, employee engagement can strengthen the bond between your company and the nonprofit, making the partnership more dynamic and impactful. 

    4. Aim for Long-Term Relationships

    One time partnership can be beneficial but long-term relationships with nonprofits can lead to more substantial impacts. It allows both parties to plan and execute larger projects, measure outcomes more effectively, and build a deeper connection. This sustained effort can lead to transformative changes and a stronger community presence.

    5. Provide Financial Support

    While non-monetary contributions remain incredibly valuable, financial support remains crucial for most nonprofits. This can take various forms, from direct donations and matching employee contributions to sponsoring events or specific projects. Financial contributions can help ensure the sustainability of the nonprofit’s programs and allow them to expand their reach and impact. 

    6. Promote the Partnership

    Publicizing your partnership with a nonprofit can increase awareness of the cause and encourage others to support it as well. You can use your company’s platforms, such as your websites, social media channels, and newsletters to share stories about your joint efforts and successes. This not only highlights the nonprofit’s work but also showcases your company’s commitment to social responsibility, which can enhance your brand’s image and appeal to socially conscious consumers and potential employees.

    7. Evaluate and Adapt

    Like any business endeavor, it’s important to regularly evaluate the effectiveness of your partnership with a nonprofit. Set clear objectives and metrics from the start and review them periodically. This will help you understand the impact of your collaboration and identify areas for improvement. Being open to feedback and willing to adapt your strategies will ensure that the partnership continues to be beneficial for both parties.

    Conclusion 

    Partnering with a nonprofit offers a unique opportunity for companies to contribute to societal good while also enriching their corporate culture. At the heart of these collaborations is the shared goal of making the world a better place. By working together, companies and nonprofits can amplify their impact and achieve remarkable results. 

    Remember, it’s not just about making donations; it’s about making a difference. Let’s join hands and hearts to create a world where business success and social progress go hand in hand! 

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He is also CEO of a mentoring non-profit in San Diego, Lamp of Learning. He writes on Corporate Social Responsibility, cybersecurity, and board management for both corporate and nonprofit boards.

    References:

    How Companies Can Partner with Nonprofits (hbr.org)

    Your Ultimate Guide to Corporate-Nonprofit Partnerships (donorbox.org)

    Corporate Partnerships for Nonprofits: Basics and Best Practices – Nonprofit Megaphone

    Nonprofit-Corporate Partnerships: Why They’re Important and How to Find Them (causevox.com)

  • Do CISOs Serve as Human Shields for the Board?

    Do CISOs Serve as Human Shields for the Board?

    In a revealing article by Noah Barsky on Forbes, the recent actions of Clorox following a major cyberattack pose critical questions about the role and treatment of Chief Information Security Officers (CISOs) in corporate governance. This is certainly not unique, the CISO is often the sacrificial lamb after an incident.

    “It could be asked that if CEOs can suffer when earnings are bad, so isn’t this the same?”

    The answer is no because the CEO should have the power to implement what is needed. The CISO is often not as empowered and must make the best with what they are given. In essence, the CISO could be handed a losing hand from the beginning with no power to change it.

    In the case of Clorox suffering one of 2023’s most costly cyberattacks, which disrupted production and significantly impacted revenues and valuation, Clorox’s response was telling. The company chose to empower and enrich its board and C-suite, while simultaneously announcing the departure of its CISO, Amy Bogac. This move highlights a concerning trend where CISOs are positioned in a precarious situation, expected to manage cybersecurity risks without adequate support or recognition, and often bearing the brunt of responsibility in the event of a breach.

    The article points out several governance issues in Clorox’s approach:

    • The lack of direct mention of cybersecurity in the opening statements of the CEO and outgoing chair in the proxy statement.
    • The reappointment of all board directors without any professional IT or cybersecurity experience.
    • No establishment of a dedicated technology or cybersecurity committee.
    • The cyber preparedness plan, despite the significant breach, showed no substantial updates from previous years.

    This situation at Clorox exemplifies a broader issue in corporate governance where there is a disconnect between boards and cybersecurity leaders. The article cites a survey indicating that many board members still feel unprepared for cyberattacks and have limited interaction with their CISOs.

    Reflection:

    • How can companies better integrate cybersecurity into their corporate governance and board responsibilities?
    • What steps should be taken to ensure CISOs are not merely scapegoats but are empowered to effectively manage cybersecurity risks?
    • Is the current corporate structure adequate to address the evolving challenges of cybersecurity, or are more radical changes needed?

    Read the Forbes article here: Clorox Scapegoats Cyber Chief, Rewards Board After Crisis (forbes.com)

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • Is for-profit experience valued in a nonprofit?

    Is for-profit experience valued in a nonprofit?

    Today, I’m diving into a topic that often frustrates executives looking to move into nonprofit management: The value of for-profit experience in the world of nonprofits. At first glance, it might seem like these two sectors operate in entirely different realms – one driven by profit margins and the other by a passion for social change. However, as we explore further, you’ll find that the line between them isn’t always as clear-cut as it appears. We’ve all heard the saying, “Do what you love, and you’ll never work a day in your life.” But what happens when the thing you love – making a difference – meets the corporate world’s practicality and profit-oriented approach? Is there room for both passion and profit in the nonprofit sector?

    First, let’s clear this up

    Because you come from the for-profit world, it does not mean you don’t have passion for the mission! People are people, we all have values and beliefs no matter where we work.

    Breaking Down the Stereotypes: NonProfit vs. For-Profit

    There’s a common misconception that nonprofits are purely driven by passion, lacking business acumen, while for-profits are perceived as having a lack for social concerns. However, the distinction isn’t as black and white; it’s more about organizational priorities. Having experienced both realms, I recognize the origin of this stereotype. While the mission of nonprofits takes center stage, attracting like-minded individuals, not all may possess a strategic approach. Yet, many nonprofit boards comprise individuals with robust business expertise, who typically work in the for-profit realm, indicating their social consciousness. As the world evolves, the lines between these sectors are becoming indistinct, leading to a merging of the strengths of both domains. 

    The Value of For-Profit experience in NonProfits

    The nonprofit world is driven by fundraising. Thus, experience in fundraising is the single most important skill many NomGov (Nomination and Governance) committees are concerned with. While I understand this logic, I think it is flawed. It is flawed in the same way hiring a CEO based only on sales skills is flawed. Just like CEOs, EDs can certainly be great without sales/fundraising experience.

    For-profit experience can bring new skills to a nonprofit:

    1. Business Acumen – Those with for-profit experience often bring a strong sense of business acumen. They have the ability to understand and deal with various business situations in a way that leads to a good outcome. They have the skills that are invaluable in any organization, including nonprofits. 

    2. Innovation and Creativity – For-profit environments foster innovation and creative problem – solving. Bringing this innovative spirit to the nonprofit sector can lead to new, groundbreaking solutions for the challenges faced by these organizations. 

    3. Networking and Partnerships – Individuals with for-profit backgrounds often have extensive networks. Leveraging these connections can open doors to collaborations, funding opportunities, and partnerships, strengthening the nonprofit’s impact. 

    4. Sustainability – Applying for-profit principles can help nonprofits become more self-sustainable. By diversifying funding streams and creating revenue-generating programs, nonprofits can reduce their dependence on grants and donations, ensuring long-term stability. 

    Finding The Right Balance: Passion Meets Practicality

    While for-profit experience brings a lot to the table, it’s still essential to strike a balance. Of course, nonprofits must maintain their core values, integrity and social mission but it’s not about sacrificing passion for profit; it’s about integrating the truly valuable skills. 

    In a world where challenges are becoming increasingly complex, the integration of for-profit expertise in nonprofits represents a powerful force for positive change. By embracing diversity in experiences and perspectives, nonprofits can evolve, adapt, and maximize their impact on the communities they serve. 

    So, is for-profit experience valued in a nonprofit? Absolutely. Passion is the driving force behind nonprofits, but practical skills acquired in the corporate world can amplify the impact of that passion. It’s not about prioritizing profits over purpose but about leveraging the best of both worlds. Remember, at the heart of both nonprofits and for-profits are people – individuals driven by a desire to make a difference. By fostering collaboration between these sectors, we can create a world where passion and profit work hand in hand, making our collective dreams of a better tomorrow a reality.

    Keep dreaming, keep believing, and keep making the world a better place, one passionate step at a time!

    References:

    10 Ways Nonprofits Can Utilize Team Members’ For-Profit Skills (forbes.com)

    For-Profit vs. Nonprofit: 9 Key Differences | Indeed.com

    Passion vs. Practicality: Balancing Dreams and Realities | by Startup Lab | Medium

    Can nonprofit “partner” with for-profit? | Nonprofit Issues

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • Best Practices for Board Members to Manage Cybersecurity Risks

    The role of corporate board members is not just about the traditional realms of strategy and finance. Today businesses rely heavily on technology and the internet, and cybersecurity has become a critical concern of every boardroom regardless of their size or industry; they are increasingly vulnerable to cyber threats that can have far-reaching consequences. This is where the role of board members becomes crucial and always remember that managing cyber risk is no longer just an IT issue; it’s a business imperative. In this blog post, we’ll delve into the world of cyber risk and let’s explore how board members can effectively manage and mitigate these risks to ensure a secure and prosperous future for their organizations.

    Understanding Cyber Risk

    Before diving into the strategies to manage cyber risk it’s really important that we understand what cyber risk is. Cyber risk refers to the potential damage, financial loss, or reputational harm that an organization may face due to cyber attacks, data breaches, or other malicious activities. Imagine having your company data held hostage by criminals. How much would a ransom cost? What if your company’s confidential information was publicly released or worse, your customer’s information? The right cyberattack could destroy a company.

    The Role of Board Members in Cybersecurity

    Board members play a critical role when it comes to cybersecurity within the organization. Their oversight and involvement in cybersecurity matters can shape the organization’s overall approach to risk management. Here’s how board members can effectively manage cyber risk:

    1. Education and Awareness

    It’s unrealistic to expect every board member to be a cybersecurity expert, but a basic understanding is crucial. Board members should make an effort to educate themselves or to learn about the evolving landscape of cyber threats and the potential impact they can have on the organization. This knowledge will enable them to ask informed questions, understand technical discussions, and make well-informed decisions regarding cyber security measures. 

    2. Establish a Cybersecurity Culture

    A strong cybersecurity culture starts at the top. Board members can influence this culture by promoting open discussions about cybersecurity, encouraging employees to report suspicious activities, and emphasizing the importance of following best practices to ensure data protection.

    3. Collaborate with Experts

    While board members don’t need to be cybersecurity experts themselves, they should engage with and seek advice from professionals who specialize in cybersecurity. 

    4. Risk Assessment and Management

    Board members should work with management to conduct regular risk assessments that identify potential vulnerabilities and threats. Based on the assessment, they can work together to develop and implement a comprehensive cyber risk management strategy that aligns with the organization’s goals and resources.

    5. Develop and implement an incident response plan

    The truth is no organization is immune to cyber incidents that’s why board members should ensure that the organization has a well-defined incident response plan in place. This plan should outline the steps to take in the event of a cyber incident, including communication protocols, containment strategies, and recovery procedures.

    6. Regular Updates and Reporting

    Board members should receive regular updates on the organization’s cybersecurity posture. These updates should include information about ongoing security initiatives, the status of any ongoing threats, and effectiveness of implemented security measures.

    As technology continues to advance, so do the threats posed by cybercriminals. Board members play a crucial role in protecting their organizations against these threats by taking proactive measures to manage cyber risk effectively. Always remember a united front against cyber risk starts at the top and ripples throughout the entire organization. Ultimately, a proactive and collaborative approach to cybersecurity risk management will not only protect the organization’s assets but also safeguard its reputation and ensure long-term success!

    References: 

    The Board’s Role in Cyber Risk Management: Advice from Top Directors (bitsight.com)

    Three Ways A Board Of Directors Can Manage Cyber Risk (forbes.com)

    Principles for Board Governance of Cyber Risk (harvard.edu)

    Cyber Risk Governance: A Practical Guide for Implementation (isaca.org)

    What is Cyber Risk? Examples & Impact – Hyperproof

    The executive board’s role in cybersecurity

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • Are boards and CISOs finally aligning? Not in Healthcare.

    Are boards and CISOs finally aligning? Not in Healthcare.

    Great findings from the Proofpoint 2023 Survey! It’s worrying that Healthcare boards and CISOs aren’t talking enough, especially with rising cyber threats. ????????️

    In general, the collaboration between CISOs and board members has significantly improved, providing optimism that views on cybersecurity in the boardroom are evolving. It’s no longer seen merely as a compliance requirement but as a strategic asset that can influence business direction. This enhanced partnership seems to be elevating the board’s confidence in cybersecurity matters. Even amid worries about potential cyber threats and readiness gaps, board members express a sense of assurance and command over their security stance.

    The fact that healthcare boards are lagging in this area is a wake-up call for the industry. Regular executive sessions between the board and the CISO should be considered not just a “leading practice” but a necessity. It’s high time for healthcare boards to prioritize cybersecurity in their governance models. ????????

    It’s crucial for boards to understand that cybersecurity is not just an IT issue but a strategic risk that can have significant implications on operations, clients, compliance, and public trust. The CISO’s role is pivotal in navigating these complexities, and their insights should be a regular feature in board discussions.

    A highlight in the report is that of all countries responding, the US is most likely to have board members and CISOs agree that they see eye-to-eye with each other. Also, 67% say that the CISO adequately supports them. However, more CISOs feel their organization is at risk of a material attack in the next 12 months than boards do.

    #CISO #HealthcareCybersecurity #BoardGovernance #QTE #CORPGOV

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • Three mistakes companies make in cybersecurity

    Three mistakes companies make in cybersecurity

    Throughout my consulting career, I have had the opportunity to guide numerous companies through challenging situations arising from inadequate cyber maturity. While each case presented its unique challenges, I consistently observed three major mistakes that companies tend to make when approaching cybersecurity. These mistakes, if left unaddressed, can leave organizations vulnerable to significant risks and potential cyber threats. By understanding and rectifying these mistakes, companies can strengthen their cybersecurity posture and mitigate potential damage.

    Mistake 1: Relying Solely on Compliance-Focused Programs

    One common mistake is relying solely on compliance-focused security programs, which prioritize meeting regulatory requirements such as PCI DSS, HIPAA, SOC 2, and ISO 27001. While compliance is important, it alone does not provide comprehensive protection against cyber threats. This approach often leads to a false sense of security and reactive measures that only address known risks and vulnerabilities. In today’s ever-evolving threat landscape, this approach falls short as cybercriminals constantly develop new attack methods. Compliance-focused programs are fragmented and do not adapt well to the changing nature of cyber threats. Organizations need a proactive and comprehensive security strategy that goes beyond compliance to effectively defend against evolving threats.

    Mistake 2: Treating Security as Solely an IT Problem

    Treating cybersecurity as solely an IT problem is another mistake that fails to recognize it as a business risk requiring board-level oversight. Cybersecurity impacts the entire organization and extends beyond technical aspects. Breaches can result in substantial financial losses, reputational damage, and loss of trust. Viewing cybersecurity as solely an IT issue leads to siloed thinking, inadequate investment allocation, and a lack of accountability at the highest levels. It overlooks the importance of cross-functional collaboration, cultural change, and non-technical factors such as employee training, incident response planning, and third-party risk management.

    Mistake 3: Thinking a Penetration Test Implies Security

    A misconception is assuming that conducting a penetration test guarantees complete security. While penetration testing is valuable for identifying vulnerabilities, it does not provide a comprehensive solution on its own. Organizations often rely solely on penetration testing without addressing other critical aspects of cybersecurity. It offers a snapshot of security at a specific time, but cannot account for emerging threats or ongoing changes. Robust security requires a layered approach, including regular assessments, vulnerability management, training, incident response planning, and continuous monitoring. Recognizing the limitations of penetration testing and implementing a comprehensive security program helps protect against evolving threats and enhances overall security.

    To address these challenges, organizations must adopt a holistic approach to cybersecurity. Indeed, I first considered this to be a fourth mistake for the list but see it more as a method. It should be treated as a business problem and an enterprise-wide risk. It also must align with the business objectives of the company. This approach involves integrating regulatory requirements into a broader security strategy and engaging the entire organization, including the board of directors. By recognizing cybersecurity as a strategic concern, organizations can develop a comprehensive and systemic approach that encompasses people, processes, and technology.

    Tracc Development offers cybersecurity consulting services to small businesses. If you are a board member looking for great advice, consider EgonZehnder.

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.