Cybersecurity in the boardroom: the importance of a warm handshake

A unique international study on cybersecurity reporting to boards of directors

The increasing cyber threats make proper reporting on cybersecurity to boards of directors increasingly important. A new international report, a collaboration between the Centre for Corporate Governance in St. Gallen, Switzerland and the Centre for Cybersecurity Belgium, provides directors with a framework to better fulfil their role in cybersecurity governance. "It's crucial to create a warm handshake between board and management," says Chris Verdonck, initiator of the project. 

Cyber threats on the rise

"The threat of cybercrime is increasing significantly. Cyber activism, espionage, and sabotage are also becoming more real due to the geopolitical situation," warns Miguel De Bruycker, Director-General of the Centre for Cybersecurity Belgium (CCB). 

Belgian companies are certainly at risk. "Cybercrime doesn't respect national borders or sectors," according to De Bruycker. "Anyone who can be hacked and where ransom can be demanded is in the crosshairs. Our essential services in particular are definitely targets." 

Chris Verdonck

A unique study

The report is the result of a unique international study surveying 67 large companies in Belgium, Switzerland, and Australia. "Of those 67 companies, 63% were publicly listed, with an average market capitalisation approaching 20 billion," explains Chris Verdonck, senior advisor of the project. 

The researchers spoke exclusively with board members and analysed dozens of so-called 'sanitised' cybersecurity reports from which confidential information had been removed. 

The handshake as a crucial moment

"Before we began the project, I had various conversations with board members about their lack of comfort with this topic during board meetings," Verdonck explains. "Nevertheless that handshake between board and management is a crucial element." 

According to Verdonck, this handshake takes place during the board meeting, when cybersecurity is on the agenda and a cybersecurity report is on the table. "You can have a warm or a cold handshake, and you need both parties for a warm handshake. If one of them offers a limp hand, you can't speak of a warm handshake."

Miguel De Bruycker

Work to be done

The study reveals that only 65% of interviewees indicated they had the right information to make properly informed decisions. "And I think that's actually quite optimistic," notes De Bruycker. 

"We notice that reporting is done in many different ways," De Bruycker continues. "Some forms of reporting are clearer than others, but there's no real consistency. It sometimes veers into highly technical territory – in our opinion, sometimes too technical for that level – and often misses the link with business risks. That's ultimately the goal: for experts in cybersecurity to be able to translate that information into a language that's spoken at board level." 

"As a board member, you face a clear problem," Verdonck states. "Based on what we’ve seen in the reports, the director gets more of an incomplete picture than a complete one. And that complete picture is of course essential for a board of directors to properly fulfil its duties."

Three key points from the framework

Without going into too much detail, Verdonck provides three key points from the framework proposed in the report: 

  1. Know your environment: "Understand who you are and what you do. What is your organisation's risk level? How long have you been engaged with cybersecurity?" 

  1. Organise your board: "Think about how you discuss and organise cybersecurity within the board of directors." 

  1. Adapt your reporting: "The reporting should align with where your organisation stands. A beginning organisation needs different reporting than an organisation that has been involved with cybersecurity for years."

Boards often don't know what to ask

"Boards often don't know what questions to ask in this domain," emphasises De Bruycker. "A framework like this can absolutely help with that, so board members feel more at ease, more comfortable with the topic, and also dare to ask questions." 

At that level, no one likes to admit they have little knowledge of a subject. "A framework like this provides structure and contributes to the confidence that we are properly addressing cybersecurity." 

The report entitled "Cyber Security Board Reporting - The Board's Perspective" will be available mid-April via www.cybersecurityboardreporting.com. You can already pre-register now. 

The promotion code for purchasing this report is 'CyberBoardReporting'

This will apply a 15% discount in the total price.

Please note that this is exclusive for Guberna Members and valid until the end of the year 2025.

You do not have access to the content below.

To read the content below, you must be a member or logged in.