Connect with us

Hi, what are you looking for?


CISO Strategy

The End of “Groundhog Day” for the Security in the Boardroom Discussion?

As the SEC cyber incident disclosure rules come into effect, organizations will be forced to seriously consider giving security leaders a seat at the table.

CISO Board Cybersecurity

It’s been eight and half years since I first wrote about the need for security leadership representation in the boardroom. I then revisited the topic last year, when the SEC initially proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting.

Now, as the SEC cyber incident disclosure rules come into effect, organizations will finally be forced to seriously consider giving security leaders a seat at the table. It’s the next logical step to be able to comply with the disclosure and oversight requirements as the new guidelines detail.

The positives of SEC involvement

Feedback from industry professionals highlights the pros and cons of the new SEC rules. But since the new rules are inevitable and disclosure reports are due beginning December 2023, the time has come to focus on the positives for the industry that the SEC is stepping-in.

Having some standardization of terminology, for example the definition of an incident and what is material and thus disclosure-worthy, will enable executive leadership to focus on exactly what is needed in the boardroom. This should save organizations from spending cycles setting their own policies, procedures, and reporting practices. The other positive is that the initiative will likely drive investments in security technology, which is a good thing for security professionals and organizations as they will be more protected.

The implications to board composition

At the same time, the guidelines plainly state that organizations will be required to “describe the board of directors’ oversight or risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cyber threats.” This is incredibly difficult to do given the dearth of security expertise on boards. Brian Krebs recently updated research he did back in 2018 of Fortune 100 companies that list a CSO or CISO in executive leadership positions on their websites. At the time, only five of the Fortune 100 did. Using the latest available list (2022), he found there are still only five! Organizations including IANS and Heidrick & Struggles have conducted studies of their own that also reveal security leaders have little representation at executive levels.

Advertisement. Scroll to continue reading.

We all know that most companies employ a CISO or CSO these days, and that cybersecurity is a topic on the board’s agenda. But if that individual is not actively sitting on the board, how confidently can that company state they have cyber risk oversight capabilities and management expertise in the boardroom?  

A tangible win-win

There’s also an interesting dynamic at play from the CISO perspective. Salt Security’s State of the CISO 2023 report found that topping the list of personal challenges CISOs face are concerns that a security breach in their organization may result in personal litigation and liability. The fear is so acute that some CISOs are opting for roles below the CISO level or requesting indemnification. Given legal proceedings against the CISO of SolarWinds and the former CSO of Uber, this reaction comes as no surprise and will fuel further concern.

However, at a time when organizations need their experienced CISOs more than ever, the SEC ruling can help turn this challenge into an opportunity. Executive leadership can stem the tide of CISOs looking to step back to reduce their own personal risk by offering a board seat that extends directors and officers insurance to them and helps allay some of their legal concerns. Elevating CISOs to the board also demonstrates in no uncertain terms that the board is prioritizing cybersecurity. Invitations to present to the board at select times and investment reviews only during budgeting season will become a thing of the past. The stage is set for collaborative assessment of the people, processes, and technologies in place to protect the business and continuous review of the dynamic threat landscape and the investments needed to mitigate risk.

SEC involvement is the catalyst we need to get security representation in the boardroom – at long last! As security professionals, we should welcome the opportunity as it means the responsibility of protecting the business is finally recognized as a key enabler of business strategy and treated as such.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

U.S. Marine Corps and SAIC CISOs Discuss the Differences Between Government and Private Industry

CISO Conversations

While the BISO might appear to be a new role, it is not – and understanding its past provides insights into its present.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

SecurityWeek examines the role of the virtual CISO in a conversation with Chris Bedel and Greg Schaffer.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.