Considering the financial, legal, and reputational damages a company can suffer from a hack or a data breach, more boards of directors are bringing some cyber knowledge to the table. But, depending on the industry, many corporate BODs are not as educated about cybersecurity issues as they should be. Others, if informed, are still trying to figure out their risk management roles.
An MIT Sloan survey last year found that only 68% of boards regularly discuss cybersecurity while 9% still do not discuss it at all. What’s more, while half said there had been discussion of the board’s role with respect to cybersecurity, no consensus was reached on what that should be.
So what can CISOs and C-suite members do to end these cycles of debate and delay?
That will be part of the discussion at “Do Better: Board-Level Accountability in Cybersecurity,” an upcoming panel at RSA Conference 2023, moderated by Tanium CISO Chris Hallenbeck, and featuring Greg Silberman, associate general counsel of Zoom Video Communications; Brian Stafford, CEO of Diligent Corp.; and Maggie Wilderotter, CEO of Grand Reserve Inn. (The panel takes place Monday, April 24, at 11:30 a.m. ET / 8:30 a.m. PT at RSAC 2023, which runs April 24-27 at the Moscone Center in San Francisco.)
The stakes for board accountability couldn’t be higher. Between surging ransomware incidents, massive data breaches, and a huge spike in business email compromise (BEC) attacks, 2022 was arguably one of the worst years on record for cybersecurity. The FBI logged more than 800,000 cybercrime complaints in 2022 with total losses exceeding $10 billion compared to $6.9 billion in the prior year. Hackers also compromised data and funds from millions of private accounts, leading 57% of organizations to boost cybersecurity budgets this year. All of this prompted the Securities and Exchange Commission (SEC) to propose a host of new regulations last year that will significantly impact how U.S. companies—and their boards—do business.
Focal Point sat down with Hallenbeck to get his take on how BODs are adapting to cyber threats—and what CISOs need to know to work more closely with them.
How has board accountability for cybersecurity issues changed over the years?
For the longest time, boards viewed cybersecurity as a cost center, a checkbox, or an operational luxury best handled by IT professionals. They had little desire to get directly involved in such matters. But as breaches started posing financial, legal, and image problems, board members started turning to CISOs to keep them updated on business-impacting issues, which meant CISOs had to start learning how to speak in business rather than technical terms.
For the longest time, boards viewed cybersecurity as a cost center, checkbox, or operational luxury best handled by IT professionals. They had little desire to get directly involved.
Now, with the threat landscape far more complex and endpoints more vulnerable than ever due to the shift toward remote and hybrid work, we’re seeing a different twist where there’s a growing expectation that one or more board members will have expertise, or at least passing familiarity, with cybersecurity. More organizations will have someone on the audit committee, if not the entire committee, spending time on cybersecurity. That’s different.
Is this happening in every industry?
I think the trend is happening everywhere but the pace with which boards are focusing on managing cyber risk varies by industry.
If you’re in healthcare, for example, so much of what you do is run by data and electronic systems. If you don’t have someone on your board who understands the cybersecurity implications of that, it could be viewed as a significant failure. Same thing with financial services and other risk-averse sectors. There are other industries where there isn’t as big an impetus for board-level cybersecurity awareness because they haven’t been hit as hard by data breaches and aren’t heavily regulated.
So, yeah, boards in every industry are going down this path but at different speeds.
How should CISOs communicate with boards given this new reality?
They need to frame conversations on risk because that’s what board members care about. How does this cybersecurity incident or near-miss present a risk to the business? That’s the kind of language board members and senior leaders understand.
It’s OK to find a middle ground where you blend business and technical issues so long as their eyes don’t start glazing over. And you don’t want to get into too much detail. But at the same time, you shouldn’t overlook informing them about issues you solved that could have some higher, long-term relevancy.
Too often, many CISOs go about their roles very operationally. They see a problem, fix the problem, and move on to the next thing. Instead, they should be updating the board on some of these issues and saying, “We recently fixed this problem. It wasn’t necessary to elevate it to your attention at the time, but you should be aware because it was indicative of a trend that could rematerialize and affect the business at a later time.”
With cybersecurity, we don’t have to go into excruciating detail to provide an impactful narrative to the board. But we should provide enough of an overview of issues we face along with specific recommendations for addressing them in the future.
What’s the biggest mistake CISOs make when communicating to board members?
Being too verbose. You want to hit the high points. Get the data or key points you want out there as succinctly as possible. Then let those smart people ask what they want to ask. Listen closely to their questions to understand what they really want to know. And pay attention to their comments because they’ll tell you where their interests lie and what they’re concerned about so you can adjust your presentation accordingly the next time you meet with them.
Watch to see if their eyes are glazing over…and watch their body language to see if what you’re delivering is what they are looking for. If not, then adjust on the fly.
Really, the biggest piece of advice I’d have is to watch to see if their eyes are glazing over at any point and watch their body language to see if what you’re delivering is what they are looking for. If not, then adjust on the fly.
Do you see the trend toward board accountability—and board cybersecurity awareness in general—continuing?
For sure. Again, it’s going to vary by industry. It’s possible that regulators could require some companies to have someone with cybersecurity responsibility on their audit committees at some point.
Cyber insurance companies could eventually require that as well to qualify for premium rates. That said, I think boards are going to have to go through a maturity process where they move on from thinking cybersecurity incidents will not and should not happen to them. They need to know that cybersecurity incidents are, unfortunately, a fact of life—no matter how much you invest to avoid them.
The conversation needs to instead be about how to make those instances less frequent or severe. There needs to be a mix of risk and acceptance to address cybersecurity threats practically and effectively.