Corporate directors focusing on cybersecurity

As high profile data breaches continue to grab headlines, corporate boards need to make sure they’re deeply involved in the cybersafeguards at their companies.

“They have to accept responsibility,” said David Finn, a former federal prosecutor who spent 16 years leading Microsoft’s efforts to fight cybercrime, counterfeiting and fraud. “It’s not just a server room issue. It’s a board room issue.”

A group of national cybersecurity experts will discuss cyberthreats next week at the Corporate Directors Forum at Qualcomm’s headquarters at 5775 Morehouse Drive. The San Diego non-profit helps corporate board members with training and networking.

Finn, who is now chief operating officer at AppEsteem in Seattle, will join Illumina Chief Information Officer Norm Fjeldheim and FBI Cyber Division Section Chief Philip Celestini on Tuesday (Aug. 23) for the Corporate Directors Forum meeting, which begins at 5:30 p.m.

After a high profile hack three years ago at Target that compromised personal data of millions of shoppers, the retailer’s board ousted CEO Gregg Steinafel. The average cost of a data breach globally last year was $4 million, up 29 percent from two years earlier, according to a study by the Ponemon Institute, an independent research group. It costs companies on average $158 for every record lost or stolen in a breach.

“It is a very significant issue that is not going away anytime soon,” said Finn in an interview. “Just look at the press over the last several years, whether it’s recent hacks of the Democratic National Committee, Ashley Madison, JP Morgan, Anthem, Home Depot, Neiman Marcus, The Office of Personnel Management. It goes on and on.”

Corporate boards sometimes view cyberthreats as an information technology department problem. They also may feel they lack the knowledge to oversee cybersecurity efforts.

But ballooning security budgets are bringing more scrutiny to the cyberthreat, with corporate directors often unsure what they need to spend to be safe.

Finn said cybersecurity needs to be tackled not as a technology issue but a “classic risk management issue.”

“Given that you can’t eliminate the risk completely, you have to prioritize your assets,” he said. “You have to identify risk from third parties, look at whether your leadership has the understanding they need, make sure you are funded properly, think about disclosures if you are compromised. You need to have policies and procedures in place.”

Federal guidelines from the U.S. Commerce Department’s National Institute of Standards and Technology, the U.S. Securities and Exchange Commission and other agencies can help corporate boards get a handle on cybersecurity, he said.

“It can be addressed,” he said. “I don’t think board members need to fear it.”

There is a fee to attend Tuesday’s event, ranging from $60 to $80. For more information, contact the Corporate Directors Forum, 858-455-7930.