Cybersecurity is a fiduciary task, not a technical one. Assessing risk and organizational readiness isn’t a responsibility relegated only to IT leaders — board oversight and executive leadership are critical to the process.

Meet Our Expert

Heather Hinton
Heather Hinton
CISO at Sitecore

Moving from Technical Debt to Strategic Governance

It’s easy to associate fiduciary tasks with things like spreadsheets, sales figures, and revenue reports. 

“That’s all very mathematical,” explains Heather Hinton, cybersecurity specialist and instructor at Harvard Professional & Executive Development. “But security is also a fiduciary responsibility. If you are insecure, if you get compromised, or have to pay regulatory fines because of a data breach, then you are destroying shareholder value. These aren’t things you control in a spreadsheet.” 

Cybersecurity is also a competitive advantage. Customers — whether a B2B client or an everyday end user — are becoming more discerning in how and where they choose to spend their money. Hinton cites supply chain risk management — sometimes called third-party risk — as an example. 

“Customers are far more diligent in how they evaluate the security posture of their vendors,” she says.

The 4 Questions for Cybersecurity Governance

As they develop their cyber risk management plans, business leaders can start with key strategic questions like these. 

1. What are our crown jewels? And are they protected consummate with their value? 

Ranking company data by value is an obvious place to start, but Hinton stresses that stronger attention should be paid to the top business priority in the case of a breach or attack: is it more important to restore services or preserve evidence? 

“If I’m trying to get availability back up, that’s my number one priority. I will clobber things in order to get these services back up,” she says. On the other hand, “If preserving evidence is the priority, I’m not getting my environment up and running in a hurry; that just isn’t going to happen.” 

You could spend tens of millions of dollars on robust data classification, data protection, and data leakage protection — but there also needs to be an investment in safeguarding against internal compromises, like phishing. 

Especially in highly regulated industries, it’s important to protect not just information, but also to have a process in place to holistically manage risk or response. 

“The impact of that breach will be massive regulatory fines,” explains Hinton. “So I can say, ‘Here’s what I’m doing to protect the data, but here’s what I’m doing to protect everything else.’”

2. How are we measuring the ROI of cybersecurity governance? 

It’s important to look at cyber risk management through a financial lens, including what success looks like for an organization. For instance, how do you measure the ROI of these efforts? Hinton says the answer isn’t so straightforward. 

“The best measure of ROI is avoidance of regulatory fines,” she explains. “And the minute you start having an avoidance conversation, you open yourself up to people saying, ‘Well, of course you’re going to say that… you’re selling fear, uncertainty, and doubt.’ So it’s a fine line to walk when you talk about ROI.”

But, inevitably, people want numbers. For Hinton, she always starts with a baseline, and then explores how that baseline has improved. This could be measurable results like reducing the number of clicks in a phishing exercise from the previous month or lowering mean time to detect or respond to an incident.

 3. What is our “Maximum Tolerable Downtime” (MTD) for core operations? 

Companies and organizations might have multiple levels of products and systems, each of which might have a different MTD in the case of an incident. And that duration may fluctuate during different times of the year. So it’s important to parse that out not just by system, but also by stage in a business cycle. 

Hinton provides an example: “I can tolerate a day or two of downtime of something like Salesforce at the beginning of the quarter. But when it’s the last day of the quarter and I’m trying to register all of my sales ahead of a quarterly earnings report, I can’t tolerate much more than ten minutes of downtime.”

4. How does our cyber risk management align with our 3-year growth strategy? 

Cyber and information security should be a vital component of any risk assessment pertaining to business growth strategy, right along with items like a downturn in the economy, a rise in interest rates, political volatility, and global conflicts. 

“Every decision you’re going to make about your strategy, at some point or another, has a cybersecurity angle that you have to pay attention to,” advises Hinton. 

She suggests a few questions to consider: 

  • Am I moving into a risky new vertical?
  • Am I going to take on an area that has restrictive regulations?
  • Am I going to move into an area that’s a known hotbed of bad actors — and do I really want to go? 

Security is also a fiduciary responsibility. If you are insecure, if you get compromised, or have to pay regulatory fines because of a data breach, then you are destroying shareholder value. These aren’t things you control in a spreadsheet.

Heather Hinton

Preparing for the Wild Card: The Human Factor

Beyond those four questions, it’s also imperative to consider the company culture surrounding security. No matter how solid technical controls and programs are within an organization — no matter how many fancy bells and whistles a system has — there’s always a wild card: humans. 

“It’s really difficult to bring in the unpredictability of human behavior into either a technical or fiduciary conversation,” explains Hinton. She refers to a few examples that some in the industry call “stupid human tricks” — the phishing emails, the “reply to this text” or “download this file” messages. 

“It’s these tricks and the bad actors that we’re trying to control against. But humans are, unfortunately, a non-zero part of this problem,” she says. This is why, when it comes to budget, Hinton explains that it’s vital to spend money in a way that decreases the likelihood of those “stupid human tricks.”

Preparing for the Unprecedented: Addressing the AI Factor

Hinton says risk conversations with boards and executives were never easy, but now they are even harder because of the pace at which threats move. She explains that traditional audits are focused on testing maturity in a human speed environment. In the past, a vulnerability could take a year to be exposed, or a bad actor could sit in an environment unannounced for months. 

“This thinking doesn’t work anymore in the world of AI-driven attackers and threats,” she explains. “Now vulnerabilities are being released together with the exploit… We cannot respond at human speed anymore because we are not being attacked at human speed.” 

Peer-Driven Insights: Learning from Real-World Breach Cases

While every industry, organization, leadership team, and board has a unique culture and expectations, we can learn more about cyber risk management from actual breach cases. Hinton points to case studies like the Verizon Data Breach Response and the IBM Cost of Security Breach Report

“I anchor most of my courses off the Verizon report,” says Hinton. “It’s very thorough. It’s broken down by region, by vertical, by company size, by spend… It’s phenomenal. Quite frankly, all executives need to be reading at least the summary of the report.” 

These are the types of real-world examples examined at length in the Cybersecurity for Business Leaders: Risk and Resilience program from Harvard Professional & Executive Development. In this immersive course, you’ll explore how cybersecurity governance isn’t just a box to check off, but rather a competitive advantage and a crucial aspect of strategic leadership in today’s data-driven world.