Board cybersecurity preparedness is taking on more importance thanks to the Securities and Exchange Commission’s introduction of cyber disclosure rules. The risk of cyber threats targeting businesses are increasing, but the potential penalties for cyber incidents are growing, too.
But there’s a knowledge gap businesses need to address.
A joint Corporate Governance Institute and Board Intelligence survey found nearly 60% of respondents don’t think they have received sufficient training on cyber resilience in the last 12 months.
In organizations with less cyber training, the board is less likely to challenge management on technology strategy and issues as robustly as on other topics, such as financial performance, the survey found. The Corporate Governance Institute surveyed 250 respondents for the report, including chairs, non-executive directors and executive directors of private companies, state funded organizations and charities.
It shows how a lack of board cybersecurity education can translate into the board members failing to ask the hard questions of management about cyber, according to Rob Clyde, an experienced board director who spent many years on the ISACA global board of directors.
Clyde likens it to board members being able to read financial statements and ask good financial questions, regardless of their level of financial background or whether they are a CFO.
“The same is true when it comes to cyber. Every board director needs to be just as proficient when it comes to cyber, and be able to ask questions and participate in the dialogue,” said Clyde.
“It can also make it difficult for the board to assess whether the company is doing a good job from a management perspective relative to cybersecurity,” he said.
“A lack of cyber awareness can also lead to insufficient disclosures being made, which can lead to investigations and lawsuits,” he said.
It means that if an incident does occur, organizations with stronger cyber awareness have a strong foundation that can show they have met a standard of due care.
What about the CISO’s responsibility?
While the board’s cybersecurity know-how is under scrutiny, CISOs are finding themselves in the hot seat and potentially liable for a company’s security shortcomings.
CISOs now face substantial personal risks, as seen in cases like Uber and SolarWinds where the SEC has taken legal action against the security chiefs. The primary risk is both personal and professional liability for the CISO, according to Kayne McGladrey, field CISO at Hyperproof.
The problem, however, is that boards unaware of the business risks from poor cybersecurity are unlikely to include the CISO in the Directors & Officers insurance policy. “This exposes CISOs to substantial risk,” McGladrey told Cybersecurity Dive.
Boards looking to improve their response to cyber incidents need to be willing to invest in ongoing continuing education for board directors and set aside a certain amount of money for it, according to Clyde. They also need to decide if there is an expectation for directors to complete relevant training.
While most boards say that at least once a year they do a deep dive in cybersecurity, some may determine that’s not enough, and in this case, should add it as an agenda item at every quarterly board meeting or more frequently as needed for consideration, Clyde.
“This can be discussed during board evaluations when they look at where gaps might be, and where specific board directors may need more or less training, based on their backgrounds,” he said.
“The chair in particular plays an important role here to work with board directors to make sure that there is a sufficient understanding relative to this.”
Improving the reporting structure into the board
Considering the SEC requirements, businesses are hitting an era where the CISO needs to be reporting higher up in the organization and consulted for signing off on disclosures that businesses are making around cybersecurity and technology, according to Clyde.
However, industry surveys find that many organizations still have the CISO reporting to the CIO, the CTO, or even in some cases, the CFO.
Cybersecurity teams in organizations where the board of directors prioritizes cybersecurity are more likely to report to a CISO, according to ISACA’s recent State of Cybersecurity report.
“The CISO has a very important role with board cyber readiness,” Clyde said.
By elevating the CISO to become a member of the executive team, it allows them to regularly report to the board and answer questions.
“Today’s CISO needs to be more than just a security expert and must also understand risk management and business,” he said.
Clyde also believes the chief audit executive has a role, which includes ensuring there’s an external audit for the organization that encompasses an IT audit. “The audit committee and the board should have a clear understanding of the IT-focused audit findings, including the potential risk that the company is facing,” he said.
As part of this arrangement, the CISO should respond to questions around what the board should know and do regarding any cyber deficiencies that come up in the IT audit, or if there are areas where the organization could be doing better compared to peers.
“While the audit side is separate from the CISO, they need to be able to advise on the audit report and next steps with the board. The legal department and chief risk officer may also be involved and need to work with the board on any disclosures required,” he said.
Evolution ahead
McGladrey has seen the CISO role evolve in response to the changing responsibilities of the role to where it is today. “A modern CISO should be adept at explaining to boards how they advise other business units on cyber-related risks, and openly discuss their partnership with business unit leaders,” he said.
In the current climate, a CISO's responsibility is to communicate key risk indicators effectively.
As an example, a CISO who reports quarterly on the number of unresolved vulnerabilities does not add much to the discussion. By contrast, a CISO who discusses service-level agreement (SLA) exceptions and their impact on organizational risk tolerance adds significant value.
“Boards understand SLAs and risk better than technical vulnerabilities,” he said.
Boards need actionable information, which means having real-time data on the effectiveness of controls in mitigating business risks and understanding risk or service level exceptions that increase organizational risk, to ensure they’re asking the right questions.
“The board focus should be on asking informed questions about the effectiveness of cybersecurity programs in reducing business risks,” he said.
