Cybersecurity Governance for the Board of Directors
As the chairman of the board for Cinturion Group, Richard Marshall is intimately involved in ensuring the security of the fiber optic network his company is constructing from India through the Middle East and on to Europe. The monumental Trans Europe Asia System (TEAS) will be difficult enough to build given it will be buried beneath thousands of land and sea miles. Making it even rougher is the fact that many of the countries that will host the cable do not much like each other, which presents potential cybersecurity issues.
The Changing Role of the Board
When Marshall began his board-level career 16 years ago, he and his fellow governors probably would have delegated responsibility for securing this infrastructure to IT security "propeller-heads." But today, with costly ransomware attacks and increasingly torching bottom lines, he says board members and their audit committees recognize they can no longer ignore such responsibilities.
Directors know they must be more aware and directly involved. In fact, 88% of them now view cybersecurity as a business risk as opposed to a technology problem, according to business analyst firm Gartner.
The SEC’s Proposed Rules
Adding fuel to their fire: the likelihood of more government regulatory pressure. For example, the Securities and Exchange Commission (SEC) floated new rules that would require publicly traded companies to disclose their cybersecurity governance practices, including how boards oversee cyber risk. The announcement has prompted considerable debate and controversy. And while organizations are not required to appoint members who are versed in technology or cybersecurity issues, the proposed SEC rules would mandate that they divulge whether they have done so.
Cybersecurity Governance Best Practices
So, how can technology-challenged board members get up-to-speed on cybersecurity? Experts say it doesn’t require a Certified Information Systems Security Professional (CISSP) credential or walking in the CISO’s shoes for a day (although neither approach would hurt). Rather, they suggest a few steps to address coming regulations and provide better oversight.
1. Appoint at Least One Cybersecurity Expert to the Board
Dr. Keri Pearlson, executive director of Cybersecurity at MIT Sloan (CAMS), has been studying the intersection of technology and business for more than 30 years and has published numerous papers involving cybersecurity. So, it made sense that the TMF Health Quality Institute, which was seeking cybersecurity expertise to address rising cybersecurity threats in that industry, would ask Pearlson to join its board.
2. Make Cybersecurity Governance a Key Agenda Item
Corporate bylaws require boards of directors to meet at least once a year, but the frequency tends to vary by state. In some cases, it will be twice or four times a year. In the ideal situation, experts say, the cadence should be every six to eight weeks.
3. Look Beyond Risk to Resiliency
Pearlson says board members need a different approach to cybersecurity: Instead of viewing it as being solely about mitigating technology risk, they should also prioritize resiliency, which includes how they would recover from a successful cyberattack.
4. Get Some Training—Cyber Skills Fuel Smarter Cyber Governance
Experts say that even with a cybersecurity-designate on the board, most members would be better at their jobs if they had a little training in the discipline. Pearlson, for example, notes her college, the Massachusetts Institute of Technology, offers courses specifically designed to familiarize board members with cybersecurity governance fundamentals.
5. Come Together—Right Now
Board members and CISOs don’t always speak the same language, but they are increasingly finding common ground, says Pearlson. She recommends board members try to forge better ties with CISOs to stay closer to vital cybersecurity issues.
Conclusion
In today’s digital landscape, cybersecurity is no longer a technology problem, but a business risk that requires the attention and involvement of the board of directors. By following these best practices, board members can ensure their organizations are better equipped to address the ever-evolving threat of cyberattacks and maintain the trust of their stakeholders.
FAQs
Q: Why is cybersecurity governance becoming more important for boards of directors?
A: Cybersecurity is no longer a technology problem, but a business risk that requires the attention and involvement of the board of directors.
Q: What are some best practices for board members to get up-to-speed on cybersecurity?
A: Appoint at least one cybersecurity expert to the board, make cybersecurity governance a key agenda item, look beyond risk to resiliency, get some training, and come together with CISOs.
Q: What are the proposed SEC rules and how will they impact organizations?
A: The proposed SEC rules would require publicly traded companies to disclose their cybersecurity governance practices, including how boards oversee cyber risk.
