Cyber requirements growing for company boards

Two years ago, a survey conducted of 200 board members by the NYSE Governance Services showed that 66 percent of respondents were not confident that their companies were properly secured against cyberattacks.

High-profile cybersecurity threats and breaches – most recently the Mirai botnet and WannaCry Ransomware attacks – have continued to put the spotlight on upper-level management and how they manage and assess cybersecurity risk. Whether or not to appoint an experienced cyber expert to its board of directors is an increasingly common discussion, not just in boardrooms but amongst government policymakers as well.

Earlier this year, Sens. Collins, Warner and Reed introduced a legislation (S. 536) that would require companies to disclose if they have a cyber expert on their board and if not, to explain why.

Additionally, New York’s Department of Financial Services issued a rule that took effect in March, requiring banks to take a number of steps to improve their cybersecurity postures and have the board chair or a senior officer certify to the state that the company meets their requirements.

And just last month, the Congressionally mandated Health Care Industry Cybersecurity Task Force released their much-anticipated report, which recommends that health care organizations provide more educational resources to executives and board members to increase their awareness and understanding of the value of cybersecurity initiatives.

It’s always controversial when government goes down the path of prescribing certain behaviors for corporate boards, and for good reason. We, in the cybersecurity world, have learned it’s best to not take a strong stance on such requirements. However, the idea that boards should be better informed and more active on cybersecurity has merit.

Having a board member with cybersecurity expertise can help shape how a company approaches and manages risk as well as how they address business critical questions that apply to cybersecurity strategy and spend. These questions may include: Are we categorizing our risk properly? Is our cybersecurity spending aligned to our business risk? Are we focused too much on responding to breaches as opposed to preventing them? Do we have the right tools, processes and resources in place?

The answers to these questions can have a significant impact on an organization, making it critical to appoint the right person for the job. Therefore, if companies do embark on the journey to identify a candidate that can provide the board with the right balance of cyber expertise and strategic business counsel there are a few different approaches to consider, including:

• Appoint the right board member: Unlike other business focus areas – i.e. accounting and finance, compliance, risk assessment – there is a much smaller pool of cybersecurity professionals that are equipped to understand both the technical challenges as well as the higher-level strategic business decisions that help drive a company forward. Companies are looking for an executive-level candidate with significant experience in their field; this within itself can be tough to identify, but add cybersecurity on top of that and the pool of potential candidates dwindles rapidly. Organizations should look for people within specific industries or government agencies that have had their share of cyber hardships, but have demonstrated the leadership abilities that led to a significant improvement in their organization’s cybersecurity posture. Identify people who have had a track record of prioritizing what is truly important and can “see around corners” to anticipate not just today’s threats but tomorrow’s threat as well.
• Working closely with CIOs and CISOs: Chief information officers and/or chief information security officers increasingly are being requested to appear at board meetings, but they may lack the ability to communicate effectively about cyber risk and remediation plans, especially when the discussion falls outside of the technical realm. The introduction of a board member with cyber expertise changes the dynamic between the board and the CIO and/or CISO. In the best case, the board member become the advocate of cybersecurity and sponsors of the plans offered by the CIO and/or CISO. However, if the fit is not right, the board member can become the inspector of their work, constantly questioning and micromanaging them. How the relationship will function should be established early by the CEO and board chairman.
• Consider a board committee: Whether or not a company adds a cybersecurity expert to the board, a decision will need to be made about the best way for cybersecurity to become a long term discussion. Traditionally, companies have had these discussions as part of their audit or risk committees. Increasingly, companies are adding technology or cybersecurity committees that discuss the topics in depth and put forth recommendations to the board around strategies, technologies and spend. Making this discussion a priority amongst the board will ensure the right conversations are taking place with the right group of influential decision makers.

In general, boards are intensely interested in how their firms can better assess risk and make reasonable decisions about protecting their data, networks and overall operations. Whether or not an organization needs a cybersecurity expert on its board should not be the most important question for business leaders. Instead, they should focus on how the board – with the awareness and knowledge it already possesses – can ensure a company culture that prioritizes healthy networks and secure data as key business enablers, supports openness and transparency in communication about risk and operations, and is ever-vigilant about staying ahead of threats. A healthy cyber posture begins with the right conversations taking place amongst the top business leaders.