Cyber Security vs Resilience: The Board’s Role

Dateline: February 23, 2018

Welcome to our Friday WRAP – one thought-provoking idea to think about over the weekend.

Cybersecurity is a business concern that must be addressed at every level of the organization.  To keep an organization secure requires awareness, understanding and actions by employees, managers and executives.   Increasingly Board of Directors are addressing cybersecurity concerns, but many are not prepared to provide the leadership necessary at that level.  It’s not clear what their role should be: should the Board direct cybersecurity strategy? manage risk? insure management adequately secures the enterprise? all of the above?  And what about when a breach occurs.  Does the Board step in?   (Full disclosure: my research at MIT’s Cybersecurity at MIT Sloan addresses Board of Director cybersecurity education, governance and leadership. See more here.)

Recently Sloan Management Review published an article written by Ray Rothrock (from RedSeal), James Kaplan (from McKinsey) and Frisco van der Oord (from the National Assoc of Corporate Directors) titled The Board’s Role in Managing Cybersecurity Risk which addresses this issue.  One interesting point made in this article is the difference between security and resilience.  The authors suggest,

Companies should create a clear distinction between digital security and digital resilience. Digital security focuses on essential security measures, including providing such traditional defenses as effective antivirus and anti-malware software, adequate firewalls, and employee education in safe computing practices. Digital security is, therefore, a security issue.  In contrast, digital resilience is a business issue, which relates to how the whole organization conducts business in a digital environment.


In assessing the organization’s strategic cybersecurity policy, the board must balance resilience against security, with priority given to resilience. Over time, your network will be penetrated. Therefore, resilience (the ability to respond to incidents and breaches) should be prioritized over the forlorn hope of security alone as a silver bullet. Security will not enable you to continue to conduct business during a breach. Resilience will. The board must provide necessary leadership in advocating for whole-enterprise resilience policies and practices.

How does your organization manage security vs resilience? 

That’s a WRAP!  Have a great weekend!

Speak Your Mind