As chairman of the board for Cinturion Group, Richard Marshall is intimately involved in ensuring the security of the fiber optic network his company is constructing from India through the Middle East and on to Europe.
The monumental Trans Europe Asia System (TEAS) will be difficult enough to build given it will be buried beneath thousands of land and sea miles. Making it even rougher is the fact that many of the countries that will host the cable do not much like each other, which presents potential cybersecurity issues.
When he began his board-level career 15 years ago, Marshall says, he and his fellow governors probably would have delegated responsibility for securing this infrastructure to IT security “propeller-heads.” But today, with costly ransomware attacks and data breaches increasingly torching bottom lines, he says board members and their audit committees recognize they can no longer ignore such responsibilities.
Directors know they must be more aware and directly involved. In fact, 88% of them now view cybersecurity as a business risk as opposed to a technology problem, according to business analyst firm Gartner.
“I’ve seen the change,” says Marshall, who also chairs two other boards and serves as a cybersecurity consultant. “Boards are becoming more sophisticated. They are also younger, so they tend to be more technically aware and likely to realize they have to get involved in mitigating risk.”
Adding fuel to their fire: the likelihood of more government regulatory pressure. Last year, for example, the Securities and Exchange Commission floated new rules that would require publicly traded companies to disclose their cybersecurity governance practices, including how boards oversee cyber risk. The announcement has prompted considerable debate and controversy. And while organizations are not required to appoint members who are versed in technology or cybersecurity issues, the proposed SEC rules would mandate that they divulge whether they have done so.
That could be problematic for many organizations, because board members typically hail from business rather than IT backgrounds. Indeed, while the percentage of public companies with appointed technology-focused directors has grown recently, it still stands at only about 17%, according to Deloitte. What’s more, a recent DHR Global study found just 1.4% have a current or former chief information security officer (CISO) on their boards, and 65% delegate responsibility for directing and reporting on cybersecurity to audit committees.
Granted, good CISOs are increasingly hard to find, but that will not do, says the SEC.
“Cybersecurity is already among the top priorities of many boards of directors, and cybersecurity incidents and other risks are considered one of the largest threats to companies,” the commission explained while promoting its rule change. “Accordingly, investors may find disclosure of whether any board members have cybersecurity expertise to be important as they consider their investment in the registrant, as well as their votes on the election of directors of the registrant.”
So, how can technology-challenged board members get up-to-speed on cybersecurity? Experts say it doesn’t require a Certified Information Systems Security Professional (CISSP) credential or walking in the CISO’s shoes for a day (although neither approach would hurt). Rather, they suggest a few steps to address coming regulations and provide better oversight.
1. Appoint at least one cybersecurity expert to the board
Dr. Keri Pearlson, executive director of Cybersecurity at MIT Sloan (CAMS), has been studying the intersection of technology and business for more than 30 years and has published numerous papers involving cybersecurity. So, it made sense that the TMF Health Quality Institute, which was seeking cybersecurity expertise to address rising cybersecurity threats in that industry, would ask Pearlson to join its board.
[Boards are] younger, so they tend to be more technically aware and likely to realize they have to get involved in mitigating risk.
While other board members have interest, perspectives, and some experience in cybersecurity, Pearlson says her role is to provide deeper perspectives and guidance on key issues.
“I think boards are getting more mature, and members understand that responsibility,” she says. “They manage business risk, and cybersecurity is a business risk. But they are not the same, and so part of my job is to look at the cybersecurity decisions they make to ensure they are sound.”
Some companies are building even deeper benches in cybersecurity expertise. A recent Gartner survey predicts 40% of boards of directors will also have a dedicated cybersecurity committee by 2025, up from 10% today.
“Many boards of directors are forming dedicated committees that allow for discussion of cybersecurity matters in a confidential environment, led by someone deemed suitably qualified,” said Sam Olyaei, research director at Gartner, in a statement. “This change in governance and oversight is likely to impact the relationship between the board and the chief information security officer.”
2. Make cybersecurity governance a key agenda item
Corporate bylaws require boards of directors to meet at least once a year, but the frequency tends to vary by state. In some cases, it will be twice or four times a year. In the ideal situation, experts say, the cadence should be every six to eight weeks.
That’s largely because business and risk issues can change on a dime, and if a board is making decisions in January, they may no longer be relevant weeks or months later. This is especially true with cybersecurity, which must be a regular topic of discussion on every agenda, says Marshall.
“When I advise boards, I encourage them to have a CISO come in and make a quick report every time,” he says. “That gives CISOs rapport with the board. And it helps educate board members, especially if the CISOs know how to talk to them from a business perspective.”
3. Look beyond risk to resiliency
Pearlson says board members need a different approach to cybersecurity: Instead of viewing it as being solely about mitigating technology risk, they should also prioritize resiliency, which includes how they would recover from a successful cyberattack.
Wouldn’t it be awesome if your company experienced a cyber incident but suffered no financial hit? No data loss? No system downtime? No reputational damage? That’s the vision of where we should be going with cybersecurity.
That requires a willingness to shift from believing attacks are mostly preventable to acknowledging that they will happen, so you need a plan for minimizing the damage, she says.
“As a board member, you have to take the perspective that every company will likely experience a breach or attack of some sort,” Pearlson says. “You also want to know that your company can absorb and recover quickly without downtime. I mean, wouldn’t it be awesome if your company experienced a cyber incident but suffered no financial hit? No data loss? No system downtime? No reputational damage? That’s the vision of where we should be going with cybersecurity.”
4. Get some training—cyber skills fuel smarter cyber governance
Experts say that even with a cybersecurity-designate on the board, most members would be better at their jobs if they had a little training in the discipline. Pearlson, for example, notes her college, the Massachusetts Institute of Technology, offers courses specifically designed to familiarize board members with cybersecurity governance fundamentals. Similar classes are offered by Harvard, Wharton, and Cyber Risk GmbH.
In addition, Marshall recommends considering working with cyber insurance providers who have a vested interest in ensuring their subscribers remain as secure as possible. Outside consultants can be another effective option, he adds.
5. Come together—right now
Board members and CISOs don’t always speak the same language, but they are increasingly finding more common ground, says Pearlson. She recommends board members try to forge better ties with CISOs to stay closer to vital cybersecurity issues.
“While inviting CISOs to report to the board helps with identity, it doesn’t build strong connections between board members and security executives,” she says.
Pearlson adds that her research found some board members and CISOs proactively connect in-between executive meetings to discuss cybersecurity headlines and potentially damaging incidents. Because they are more familiar with one another, they tend to be better prepared for partnering to tackle cybersecurity incidents as they arise.
“A cyber incident isn’t the time to build a bridge,” Pearlson says. “That should occur long before difficult conversations have to take place.”