Ultimately, security is the responsibility of the CEO. It’s up to the CEO and leadership team to drive investment not only in the security skills your IT team will require today and tomorrow, but also in educating the entire workforce and initiating good security practice organisation-wide.
Board members don’t have to be technical gurus, but they do need to invest time in developing the level of understanding of security issues needed to probe, challenge and support their IT and security specialists.
The threat is often in the detail, so board members must invest time in drilling below the surface.
Adding non-executive specialists to the board, potentially supported by a board sub-committee, would bolster expertise and provide easy access to informed and objective advice.