It’s time for a reset with the board of directors. Very few have a dedicated, board-level cybersecurity committee, which means cybersecurity isn’t viewed as a critical executive function.
Cyberattacks on corporations are now a common and increasingly frequent occurrence, which should lead their boards of directors to take notice and recognize the need to increase funding and enable other security measures. But a recent Gartner report finds that 88% of boards of directors view cybersecurity as a business risk, not a technology risk, yet only a fraction has a dedicated, board-level cybersecurity committee, which means cybersecurity isn’t viewed as a critical executive function.
With Log4j taking up a lot of security attention in the last month, it is imperative to revisit not only the cybersecurity funding conversation but also how to get the board to pay more nuanced attention to cybersecurity.
Log4j is a library of open-source code that lets hackers run any code on vulnerable systems or hack into applications that use the Apache Log4j framework. The vulnerability, also called Log4Shell, is indeed a serious issue, so serious that the federal Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance on remediating Log4j. The Federal Trade Commission (FTC) also said it would take action against companies that don’t take steps to protect consumer data from exposure due to this vulnerability.
The FTC’s announcement appears to send a warning to boards more than security practitioners about the need for them to do their due diligence and take corporate ownership of risk impact. “When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms. The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others,” the FTC stated. Read more: https://bit.ly/3uSk7Gr