CEO and co-founder of Institute for Cyber Leadershipa fast-growing community of cyber leaders from over 50 countries.
The spate of malicious hacks has prompted several regulators to tighten their requirements. Of particular interest are the imminent ones new SEC ruleswhich are expected to enter into force in April 2023. Among other things, the new SEC rules require greater disclosure of board cybersecurity expertise, material incidents and cyber risk oversight practices.
But as these major changes loom, many organizations find themselves woefully unprepared. A recent survey painted a grim picture of cybersecurity governance, with only about half of Fortune 100 companies having a director on their board with relevant cybersecurity experience. The situation in the Fortune 200 and 500 is more concerning; only 9% have cyber-savvy drivers.
With so much at stake, I think corporate executives should do their best to drive cyber risk management. Here are three effective ways for governance to improve this situation.
1. Integrate cyber risk management into the company’s bloodstream.
Sustainable change requires leaders to role model the expected attitudes, beliefs and practices. The underlying premise is that the attitudes displayed by management trickle down to the lower ranks of the workforce. To get the right tone at the top, your board may mandate the creation of a cross-business cyber risk governance forum.
This group, composed of executives from risk management, finance, legal, technology, product development, human resources and other relevant senior stakeholders, acts on behalf of the board in overseeing cybersecurity risks and ensures that:
• The cyber strategy supports strategic goals, mitigates key risks and ensures that the cybersecurity function is adequately resourced.
• The threshold for reporting cyber incidents corresponds to external obligations and the board has a good understanding of critical vulnerabilities and management responses. This requires management to create an environment where management is not tempted to filter the bad news as information flows through the hierarchical structures.
• An effective cyber-guarantee program is in place to pressure defenses against realistic attack scenarios.
• The cybersecurity function takes a disciplined approach to cyber transformation and is not distracted by superfluous ideas. This requires a careful balance between providing the right level of strategic support and not interfering with operational decisions.
The membership and mandate of this group should evolve as business strategy, external commitments and the cyber risk landscape change.
2. Increase the role of the CISO.
It is generally agreed that an organization cannot maximize its return on its investments or weather financial storms without a competent chief financial officer (CFO). Similarly, I feel corporate executives are deeply misguided in thinking they can accelerate cyber transformation without an authorized Chief Information Security Officer (CISO).
But despite the importance of this feature, most CISOs still feel like glorified security administrators. I see their views often quickly shot down, their positions underfunded, and their teams under constant pressure. No wonder one-third of cybersecurity executives consider leaving their current organization.
To address this plight, the board can ensure that the cyber star is transformed from a ceremonial to an integral member of the C-suite with the power to veto business decisions that expose the organization to unnecessary or high risks.
The first step is to promote direct and candid conversations between the board and the CISO. This provides a platform for the board to ask tough and precise questions and for the CISO to understand the board’s top business priorities and most pressing concerns. Elevating the role of the CISO also sends an unequivocal message that the organization places a high value on cyber resilience, isolates the cybersecurity budget from discretionary IT spending, and gives the board a clearer understanding of the organization’s risks and mitigation strategies.
Conversely, a CISO who lacks organizational status will be more likely to hesitate to make important decisions, wasting time writing drawn-out risk papers for the board to endorse decisions.
The board can also strengthen its stance on cybersecurity by asking several probing questions, including:
• What are the critical gaps around our high quality digital assets (crown jewels) and has management formulated clear recovery strategies?
• Do we have a clearly articulated cyber risk readiness statement that enables management to safely embrace innovation without exposing the organization to excessive risk?
• Are our mandatory data breach reporting obligations clearly understood and benchmarked against plausible data breach scenarios?
• Does our cybersecurity function have sufficient resources to deliver key initiatives, mitigate highly perceived risks, and grow with the rapidly evolving threat landscape?
• Does our organization embed security early and deeply in all digital transformation programs?
• Does our organization build legally enforceable contractual cybersecurity clauses into contracts with third parties and implement robust assurance processes when dealing with high-risk suppliers?
• Do we have robust and independent assurance reviews to pressure the organization’s defenses against the most likely and impactful cyber risk scenarios?
3. Enlist the help of a digitally-savvy executive.
To foster deeper conversations about cyber risk, corporate executives can proactively enhance their cyber risk management skills by taking cyber risk management training. An example is the Cyber-Risk Oversight Program offered by the National Association of Corporate Directors (NACD), which demonstrates a director’s commitment to advancing cybersecurity literacy.
But let’s face it, cyber risk is too complex to fully master through short management courses. To keep the CISO accountable and fair, boards can call on a cyber expert. This fellow board member or external advisor can be involved on a much deeper level, exposing critical cyber blind spots.
There is an additional benefit. Research shows that companies with digitally-savvy boards surpass their peers on key metrics including ROA and market cap growth. But these relationships must be handled with care, as experts with little knowledge of the business can recommend unrealistic best practices, frustrating the CISO and fueling board distrust.
The writing hangs on the wall; Drivers who continue to push cyber risk to the back burner may be given a rough wake-up call. But with tighter governance, directors can effectively fulfill their primary mandate, helping their organizations strike the right balance between opportunity and cyber risk.