What's the required level of cybersecurity representation on boards of directors today? At least to be able to manage its cybersecurity risks adequately? And what types of cybersecurity experience would best meet the ideal board of directors representation level? Should such experience be professionals with direct chief security officer experience? Or is a more practical understanding of digital risk enough today? These are some of the questions raised by research recently released by cybersecurity venture capital firm NightDragon and the Diligent Institute.
In their joint report, State of Cyber Awareness in the Board Room Report, 88% of S&P 500 companies don't have an executive on their board with specialized cybersecurity experience, and 57% of S&P 500 companies lack similar specialized experience in other technology categories.
The report found some, and quite varying, levels of cybersecurity experience sitting on boards. For instance, the report revealed that 31% of companies have some technology expertise on their board, although not executives with cybersecurity work experience.
"These individuals are likely informed on cybersecurity and overall technology topics but are less direct experts on the topic than those who [have specialized cybersecurity experience]," the report states. Such positions include current or former CIOs, CTOs, and senior vice president of IT.
The analysis also revealed that 52% of companies in the S&P 500 do have boards with at least one member with some, perhaps tenuous, connection to the technology industry. The experience here would include having served on the board of another IT or security industry company or perhaps as some cybersecurity education or other cybersecurity affiliation.
Finally, 5% of S&P 500 companies don't have board members with any cybersecurity or technology affiliation whatsoever. An earlier analysis by The Wall Street Journal found that 86 of the 4,621 board directors they analyzed in S&P 500 companies had experience considered relevant in cybersecurity in the decade before the analysis.
"Do too many boards lack cybersecurity expertise? Depends on how that is defined. If it is defined as having 'been a CISO before,' the answer is definitely yes. But, I'd define it as ‘enough business experience and cybersecurity knowledge to provide board-level oversight of the management of cybersecurity risks.’ I'd say most larger company boards have one or more board members that meet those criteria."
—John Pescatore, SANS Institute
Myrna Soto, a board member at CMS Energy Corporation, TriNet, and Spirit Airlines, is quoted in the NightDragon and the Diligent Institute report as saying, "It is imperative that CISOs prepare themselves to broaden their experience level, increase their communication skills in business terms, and become broader than a siloed subject matter expert to become exemplary candidates for the boardroom."
That may be so, but it’s also essential for the board to tell their CISOs what information and perspective they need from them so that the board can make the best business-wide risk and cybersecurity decisions possible.
"It's historically been a very one-sided conversation, with the board or business leadership expecting the CISO to magically understand what they need to be communicated to them to understand their cyber risk. It's not a one-way street. It's a two-way street, and boards need to start explaining what they expect of them to their security teams," Scott Crawford, information security research lead, S&P Global Market Intelligence, said. "Security professionals, for their part, who often come from technical backgrounds, must learn to translate technical risk into business risk better," Crawford said.
John Pescatore, longtime Gartner cybersecurity analyst and current director of emerging security trends at SANS Institute, says the standard likely shouldn't be merely having executives on boards of directors who have previously been a CISO.
"Do too many boards lack cybersecurity expertise? Depends on how that is defined. If it is defined as having "been a CISO before," the answer is definitely yes," said Pescatore. "But, I'd define it as ‘enough business experience and cybersecurity knowledge to provide board-level oversight of the management of cybersecurity risks.’ I'd say most larger company boards have one or more board members that meet those criteria," said Pescatore.
What would have a more significant impact on cybersecurity in S&P 500 businesses? Experts say better communication and CEOs with a better understanding of cybersecurity risks.
For instance, regardless of board makeup, Crawford says many CISOs, when pushing for significant strategic investments in cybersecurity, must better communicate the risks vs. business tradeoffs and business impact of these efforts—and not just communicate risk as many do.
"For example, there is a lot of discussion about organizations moving away from SMS second factor authentication and moving to stronger factors of authentication that are more secure. It will certainly buy some advantages in security, certainly. But what do CISOs do when there is pushback that forcing stronger forms of authentication would discourage customers because it's too complicated? What will CISOs do when they say it's too inconvenient, causes too much pain?"
Crawford contends that CISOs must be able to communicate the effectiveness of their security program to business leadership. "It's not a question to answer in just a few words. As a security leader, you need to learn how to measure the effectiveness of the security investment. What goes into a rational determination of adequate investment? How do we prioritize that investment? What are the business impacts, and why are those impacts worth the investment? There's an emerging body of knowledge about how to measure that and map that into your strategy," Crawford said.
To this end, Pescatore said it may have a more long-term positive impact to have CEOs who have cybersecurity expertise, as he defines it above. "Because CEOs are not just doing quarterly oversight, they are doing day-to-day company management. Almost every one of the major failures, and I'd say SolarWinds probably fits this model, CEOs made conscious decisions to accept cybersecurity risk because they viewed the risk of the security action to be a larger business risk—and they were proved wrong."
Pescatore adds that boards mainly approve what CEOs want to do, "and when you look at the high failure rate of mergers/acquisitions that CEOs wanted to do, and boards approve, I'm pretty sure most of the board had a good deal of M&A expertise! So, I don't think more CISOs on boards would have made a big difference in the outcome. Better CISOs that could work with CEOs to make better decisions or CEOs that didn't want to ignore that hard cybersecurity decisions needed to be made would."
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
