Skip to main content


The Board of Directors Proactive Cybersecurity Mindset

The Board of Directors Proactive Cybersecurity Mindset

Board of Directors Responsibilities

Financial institutions are economic engines that drive our communities. At the head of each financial institution is a Board of Directors, who oversee and provide direction for the Institution to ensure operation and meet its customer needs. The responsibility for such oversight is massive and has evolved greatly over the last ten years to include investments in technology and cybersecurity. The Board of Directors is held accountable to the Institution's shareholders, employees, depositors, the community they serve, and the regulators for the operations of an efficient, safe and sound institution.

Each Institution is examined and measured on the Capital, Asset quality, Management, Earnings, Liquidity, and Sensitivity to market risk, which is known as the CAMELS rating. An Institution’s Information Security Program (ISP) is measured in the Management component of the CAMELS rating and, when managed proactively, provides safe and sound risk management practices for the operations of the Institution.

Managing the ISP is a team effort and includes all operational areas of the Institution. To establish an organization that proactively manages the ISP, the Board of Directors annually appoints an Information Security Officer (ISO) to oversee the activities involved in maintaining a well-managed ISP. Though the Board of Directors is ultimately held responsible for the ISP, the ISO oversees day-to-day information security activities and reports to the Board of Directors at least annually on the overall status of the ISP. Additionally, the Board of Directors appoints an Information Technology (IT – or similarly named) Committee to oversee the day-to-day IT operations and Information Security risk management of the Institution. The Board of Directors appoints members and the Chairperson of the IT Committee, including the ISO as a member or as the Chairperson. The Board reviews and offers credible challenges to IT Committee minutes and reports provided, and as oversight, provides an acceptance or approval.

Much of proactive management is delegated to the ISO and the IT Committee; however, the Board of Directors sets the organizational culture regarding security (mindset) and provides the direction for investing in technology and protecting that investment. The Board of Directors ultimately determines, intentionally or unintentionally, whether an Institution has a reactive or a proactive cybersecurity mindset.


Reactive Mindset vs. Proactive Mindset

A recent PwC Global CEO Survey indicated that cybersecurity is the #1 concern for North American CEOs, which follows a trend among recent surveys. However, less than half of CEOs regularly review their cybersecurity strategies, according to a survey from Forcepoint, and only 11% of organizations feel a “high degree of confidence” in their cybersecurity resilience, according to a Microsoft 2019 Global Cyber Risk Perception Survey.

Each Institution chooses – knowingly or unknowingly – to take a stance when it comes to its cybersecurity mindset. The different types of mindsets, typically driven by a “sudden need,” include:

  • Passive: taking the compliance-driven approach by choosing only to meet regulatory standards, which does not offer protection from today’s cyber threats.
  • Reactive: a step beyond Passive, but only to include reacting to findings and recommendations from IT exams and audits, which can provide some additional protection, but not enough to prevent or properly respond to a cyber incident.
  • Proactive: strategic thinking that moves beyond basic compliance to understand today’s threats and build an ISP that can get out in front of today’s cyber threats and still meet regulatory compliance.
  • Innovative: using IT and information security risk assessments to make better, more-informed decisions that can quantify risk and deploy the right controls to mitigate the most risk of a cyber incident.




Shifting from a reactive mindset to a proactive mindset is one of the key decisions a Board of Directors can make to protect the investments made in technology and an Institution’s confidential information.


Results of a Reactive Mindset

When a Board of Directors continues to have a reactive mindset, the Institution will lack good risk management practices, feel frustrated, and may respond to events without proper preparation, which can result in losing control of spending and costing more to recover from a cyber incident than necessary. The mindset is revealed when an audit or exam results in a long list of items not meeting regulatory guidance or industry-standard risk management practices. A reactive mindset can also reveal itself when a cybersecurity incident takes the Institution out of operation for extended periods of time with significant financial impacts, or a natural disaster destroys the Institution's facilities, and customers are not able to be served the way they need to be served.

Continuing to live in the reactive mindset yields fear and uncertainty, generating a mentality of waiting for an auditor or examiner to tell you what you need to do. In this mindset, there may be a false sense of security (“hey, we got a clean exam!”), and uncertainty wondering if you have done enough to protect your Institution. The environment becomes inefficient, and the costs of managing the Institution reactively becomes a guessing game.


Benefits of a Proactive Mindset

An Institution with a proactive mindset strives not only to achieve a high rating for the Management component of the CAMELS rating, but also to do whatever needs to be done to protect the investments it has made. The Board of Directors' responsibility for oversight of the ISP is better managed proactively. Proactive management does not wait for an audit or exam to tell the Institution what needs to be done. The proactive mindset takes control and regularly risk assesses all areas of the ISP to act and mitigate the identified risks before threats are realized.

An example of a proactive mindset is playing out in front of us today. For months, the Institution has managed how to operate during the COVID-19 pandemic crises. The Institution proactively developed a Pandemic Preparedness Plan and annually tested the plan through tabletop exercises. The results of those exercises were used to improve the plan and set the Institution up to handle a pandemic like this with little issue relating to customer service or how employees can work. The COVID-19 crises have made the Pandemic Preparedness Plan critical to the regular operations of the Institution. The benefits of a proactive mindset prepared the Institution to make decisions quickly and take action to operate and serve customers.

There are many strategic advantages to managing the ISP with a proactive mindset, and some are easy to recognize. At the same time, some are intangible and not as easily recognized until there is reflection. The mindset to be proactive reveals itself in the results of an audit, exam, a cybersecurity incident, or a disaster recovery event. Adopt a process to assess the risk, implement controls, audit the controls, educate people around the three (3) pieces of your business processes.

A proactive mindset provides a member of the Board of Directors and senior management with clarity to handle situations. It allows for a better sleep at night knowing the Institution has proactively identified and planned for information security risks.


People Process Technology


The Board of Directors Sets the Culture

The Board of Directors chooses to have a culture of a proactive mindset or stay in a reactive mindset. The results will reveal which mindset has been set over time. A proactive mindset will reduce financial losses, have more efficient processes, gain control of the challenges to the Institution, and gain a competitive advantage over the competition. The choice has been made, and the results are in for review. Take time to reflect on the results and ask yourselves if you are proactive or reactive. Make the adjustments needed for yourselves, the Institution's shareholders, employees, depositors, and the community you serve.

Here are four questions to ask yourself to help determine your cybersecurity mindset:

  1. Are we discussing cybersecurity as a Board of Directors regularly and growing in our ability to be a “credible challenge” to cybersecurity-related decisions (proactive), or are we just waiting to get through the minimum necessary cyber discussions so we can get back to “real business” (reactive)?
  2. Are we measuring cybersecurity risk and using the results of our risk assessments to make better, more informed cybersecurity decisions (proactive), or are we checking the box when it comes to ISP-related risk assessments (reactive)?
  3. Do we know what our most important IT assets, vendors, and business process are, as well as the top threats to our Institution right now (proactive), or are we just reviewing the results of those risk assessments and moving along (reactive)?
  4. Have we made the proper investments (people, resources, training, and/or money) when it comes to protecting our investments and confidential information (proactive), or do we still treat IT and cybersecurity as an expense (reactive)?



Written by: 
Jeff Spann
SVP Information Security Consultant/Regional Director - SBS CyberSecurity, LLC 


SBS Resources: 
SBS CyberSecurity has been helping organizations identify and understand cybersecurity risks to make more informed business decisions since 2004. If your organization is looking to better understand your cyber risk; build, maintain, or test your cybersecurity program; and make smarter, more informed cybersecurity business decisions, SBS can help.

  • {Blog} Building Out the Core Responsibilities of an ISO: There are plenty of different roles and responsibilities a financial institution has to consider; however, one of the more difficult roles to address is that of the Information Security Officer (ISO). Even though all financial institutions have been expected to assign the role of ISO for nearly two decades, many organizations are seemingly still working to flesh out the specific responsibilities that an Information Security Officer should handle. Read blog
  • {Blog} Reporting Critical Information Security Areas Upstream: One of the most critical aspects of any Information Security Program is communication and sharing information. This is especially true with Executives and Board of Directors, who need to be educated and informed on all aspects of information security so they can ask better questions and make appropriate decisions. Read blog.
  • {Education} Executive/Board of Director Security Awareness Training: This training is used to help organizations become more knowledgeable in the topics of information security. This helps lower the risk of falling victim to some of the attacks and methods being used today, along with helping you stay compliant with laws and regulations. Keep in mind that Information Security is the responsibility of everyone at the bank, not just an individual or committee. Training can be tailored to employees or executive level/board of directors. Learn more.


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Security Executive

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Thursday, July 30, 2020
Categories: Blog