From The Server Room To The Boardroom: Why Data Risk Demands Board-Level Attention


New cybersecurity threats emerge daily, but a much different threat has sent shockwaves through the industry: personal liability stemming from corporate data breaches. All levels of leadership, including CFOs, CISOs, CEOs and boards of directors, are now held responsible.

With the news of SolarWinds executives receiving a Wells notice related to a 2020 breach along with the sentencing of Uber’s former CISO last year, concerns about accountability for properly managing sensitive data are growing, and the stakes have become personal. It’s time for governing bodies, executives and board members to realize that data security is everyone’s responsibility.

From the server room to the boardroom, we should all ask the same question: Are we doing enough to proactively safeguard our company’s most sensitive information?

Be proactive against risk—own your role as captain of your organization.

The most damaging security incidents can expose sensitive information and jeopardize the safety of customers’ and employees’ personal information. According to IBM’s 2023 Cost of a Data Breach report, the most commonly compromised data types in 2023 include customer PII (52%), employee PII (40%) and intellectual property (34%).

Most of this critical information resides in unstructured data, which now constitutes more than 90% of all enterprise data. Even with robust cybersecurity protocols in place, a governance body that fails to prioritize continuous classification and proactive protection of sensitive information within all corporate data exposes the entire organization to risk.

We need a proactive mindset focused on prevention and mitigation rather than reactive analysis and resolution. A seasoned captain would not sail unprepared into treacherous waters, waiting for a storm to hit before scrambling to repair the damage; they would first invest in advanced navigation systems, an experienced crew and a sturdy hull to safeguard their ship from peril.

As the captains of our organizations, we need to champion proactive data protection efforts to help skillfully navigate the new landscape of cyber threats and mitigate damage when a breach inevitably occurs.

Are cybersecurity investments a waste without visibility?

Data classification is essential to maximizing cybersecurity investments. Without this foundational practice, striking a balance between productivity, innovation and data protection becomes impossible.

Consider document access control as a prime example. Some of your most sensitive information resides in emails, contracts, HR documents and other vital document types that users manage: creating, updating, sharing and storing files where they prefer to conduct their work.

Most organizations control document access at the folder level. However, a document inside that folder can still be shared or moved, which happens frequently as employees perform their day-to-day tasks. In such cases, folder-level access rights become ineffective. If documents are not correctly classified and labeled, it’s impossible to determine if sensitive information has fallen—intentionally or unintentionally—into the wrong hands.

Insufficient data classification can also lead to wasted data loss prevention (DLP) investments. DLP platforms rely on accurate classification labels to prevent unauthorized exposure. Without a system to ensure all data is correctly labeled, regardless of its type or where it is stored, there is a high risk of the DLP solution missing crucial documents and potentially exposing sensitive information.

Ultimately, data classification boils down to visibility. Without it, organizational risk increases dramatically, making data breaches more likely and their consequences more severe.

Do blind spots in your security posture keep you up at night? They should.

No organization is immune to attack, even with rigorous security protocols. Uber’s September 2022 breach is one example of this, where a hacker bypassed Uber’s security through social engineering and gained access to critical systems. Events like this highlight the critical need to properly secure sensitive data internally.

For companies anticipating scenarios like this, it is important for governing bodies and executives to take proactive measures that begin with an exploration of the organization’s data management and protection practices. This signals that data security is a priority at the highest level and can bring visibility to any blind spots that must be addressed.

Armed with proper visibility, organizations can better address vulnerabilities and eliminate them as potential opportunities for data breaches.

According to IBM, phishing and stolen or compromised credentials were among the most prevalent initial attack vectors in 2023, leading to 39% of all reported data breaches, with other forms of social engineering included. These are also the most expensive data breaches, costing several million dollars.

When social engineering is rampant, relying solely on network security and perimeter protection can be ineffective and expensive. Sensitive data needs protection from the inside out.

It’s time for boards to wake up, pay attention and lean in.

Given the wide-ranging costs of a data breach—financial, legal, reputational and personal—support is needed, now more than ever, from the board of directors and other leaders to help prevent data breaches and mitigate exposure. Governing bodies and executives must understand and prioritize data protection efforts, starting with data classification.

Key Questions You Should Be Asking As an Executive

  • Do we have a robust data classification scheme?
  • Do we have a strategy, methodology and technology to discover sensitive data in our organization?
  • What percentage of our data is accurately classified and validated?
  • How are we continuously classifying new and updated data?

Data risk is business risk—it’s time to treat it that way.

Establishing data classification policies, investing in continuous data management and fostering collective responsibility for data security enables companies to protect sensitive information and significantly reduce potential financial losses or legal liabilities stemming from data breaches.

By embracing these strategies at the highest level, organizations can confidently navigate an ever-evolving cybersecurity landscape and ensure long-term security and resilience. As executives, let’s join together in prioritizing data risk—from the server room to the boardroom—to safeguard our employees and customers and protect the future of our brands.

This article was originally published with Forbes Tech Councils.

Sean Nathaniel Headshot whitebg
Sean Nathaniel