Just 14 Percent of New Fortune 500 Board Positions Filled with Cybersecurity Expertise in 2022
The reality is that most cybersecurity incidents are enabled by IT operations failures (slow patching and misconfigurations) and tactical choices to continue to use reusable passwords years after everyone knew they were the major success factor for breaches and ransomware. While the SEC requiring information on board expertise in cyber security is a good thing, remember: boards approve all mergers and acquisitions and 70% of M&A deals fail and boards are supposed to be focused on strategic issues (like M&A) vs. tactical issues like IT and security operations hygiene.
The value of cyber expertise at the board level depends on the business. The board is focused on strategy, hiring the CEO, selecting a chairman, and sustaining/growing the business. Having board members with a cyber background doesn't guarantee that they have the current expertise to weigh in on cyber initiatives. The operational team, including the CISO, needs to remain prepared to brief up, including background, in a context that aligns with the board focus. Board members need to make sure they are asking for the cyber briefing on new initiatives, including mergers, then empower their employee, the CEO, to act appropriately.
Whilst it is important to talk about cyber risks at the board, the root cause usually comes down to a lack of focus on people, process, and technology (i.e., configuration, patch management, active monitoring) by IT operations. Board responsibility is rightly focused on business operations (costs, revenue targets, business growth, brand awareness). These are different professional skill sets. Cybersecurity expertise can be obtained as independent officers or experts that augment board deliberations.
I’m very surprised to have seen this high a number of executive boards filled with Cybersecurity Expertise. This is encouraging as more traction stories like this will further board requests for members to have cybersecurity expertise. This is a rather positive news story, even if it is trying to be shocking.
The primary role of the Board in cybersecurity is to set the organization's tolerance for risk. This is an application of the knowledge, skills, abilities, and experience that one expects of directors. The role of the security staff is to help the Board express the intended risk tolerance in such a way that all levels and functions of management understand what that means that they are expected and authorized to do. While this articulation is not easy, it is what we are expected to have the knowledge, skills, abilities, and experience to do.