We have a long way to go to get adequate cybersecurity expertise on boards, but the time has come to make it happen
Recently, the Security Exchange Commission (SEC) made a welcome move for cybersecurity professionals. In proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting, the SEC outlined requirements for public companies to report any board member’s cybersecurity expertise. The change reflects a growing belief that disclosure of cybersecurity expertise on boards is important as potential investors consider investment opportunities and shareholders elect directors. In other words, the SEC is encouraging U.S. public companies to beef up cybersecurity expertise in the boardroom.
Cybersecurity is a business issue, particularly now as the attack surface continues to expand due to digital transformation and remote work, and cyber criminals and nation-state actors capitalize on events, planned or unplanned, for financial gain or to wreak havoc. The world in which public companies operate has changed, yet the makeup of boards doesn’t reflect that. According to a 2021 survey, only 4% of CISOs sit on corporate boards globally.
Improving communications between CISOs and boards is a subject that is near and dear to my heart and a topic I revisited soon after the pandemic began. It’s great to know that 90% of CISOs now say they present directly to their company’s board and/or audit committee, usually on a quarterly basis. But being an actual board member takes that interaction to a new level.
Here are three challenges CISOs should prepare for as the ripple effects of the SEC amendments make their way through to board recruitment processes.
1. Education. Reporting to the board on a quarterly basis or when specifically invited is entirely different from having a regular seat at the table as the go-to expert for cyber risk. Discussions about strategic initiatives including digital transformation, merger and acquisition (M&A) activity, regional and global expansion, strategic partnerships and supply chain shifts happen every day. Cybersecurity is now widely viewed as a competitive advantage and integral to the success of corporate strategies. As a board member, CISOs will become interwoven in the business and must continually view these initiatives through the lens of cyber risk to ensure they are enabled securely. Be prepared to use your knowledge base as your “crystal ball edge” to educate and help leadership find the right balance between business strategy and cybersecurity.
2. Risk Communications. For some time now, boards have been maturing in their understanding of cybersecurity and asking more detailed questions about threats. They don’t just want to know if the latest threat pertains to the organization, but in what ways and how the security team knows that. The current situation in Ukraine, which introduces the dimension of cyberwarfare, has intensified these types of requests and spurred the need for frequent, richer conversations. CISOs must be able to assess the entire threat landscape, including the impact of geopolitical events to the organization, and recommend how to mitigate risk proactively. Data-driven security operations can reveal the motivations of attackers and their tactics, techniques and procedures (TTPs), to provide a clearer picture of risk exposure and how to strengthen detection and response should the company be in the crosshairs. Being able to discuss the threat landscape at a more strategic level is integral to effectively communicating risk and enabling boards to make more informed business decisions.
3. Metrics. Boards have a fiduciary responsibility to their shareholders. Research finds that digitally savvy boards outperformed others, including achieving 38% higher revenue growth over three years, 34% higher marketing capitalization growth and 17% higher profit margins. The financial, legal and reputational fallout from recent cyberattacks has shown corporate leaders that digital initiatives must be executed securely to preserve those benefits. As we discussed recently with Accenture, when CISOs pair threat intelligence with data science and analytics they can create a specific risk profile and identify key metrics that balance cybersecurity with business strategy. Criteria like mean time to detection, response time, loss prevention, breach avoidance and operational uptime help define and measure success in ways that are aligned to strategic business objectives.
We have a long way to go to get adequate cybersecurity expertise on boards, but the time has come to make it happen. CISOs can ease the transition and demonstrate the value of bringing this skillset to the boardroom by deepening their understanding of the business, upleveling risk communications and focusing on metrics that drive better business outcomes. As board transformation starts to happen, companies will realize how having a trusted cybersecurity expert at the table, helping to create and drive business value, pays dividends (pun intended).
Related: Why Some CISOs Fail