Boards Are Slow to Add Cybersecurity Expertise
Brushing it Aside is Hardly the Answer
By Brian Barnier, Boardwise Partner
The latest study of S&P 500 US-listed companies shows only 12% have board directors with relevant cybersecurity credentials. Of those, only 7 had an active or former Chief Information Security Office on the board. According to the report by the Diligent Institute and Night Dragon VC firm*, 88% of companies have no director with cyber expertise, despite governance experts emphasize how crucial it is to have credentialed cyber experts aboard to oversee and manage cyber risks. Instead, most have a director with some adjacent technology experience, which hardly prepares a board facing how to handle a cyber attack.
Most of us understand cyber expertise on a board is crucial for good governance. Since directors are responsible for ensuring risks are managed properly, they must have cyber knowledge to ask the right questions and take wise steps.
Why the Drag?
One reason is it is not obligatory. The rules proposed by the Securities and Exchange Commission would have required companies to disclose which board members had cyber experience, however, this did not make it in the final rules now in play.
Another reason directors cite is they find it hard to find the right candidate with the combination of cybersecurity technical expertise, executive business experience and understanding of the wider knowledge to contribute to all other topics in governance duties.
How to Shift from Sitting Down to Sitting Up
There are key steps we all can take to solve this.
Board Education
- Many of our boards are taking the initiative to take classes – and certification programs to be well educated about cyber topics, especially in line with risk. DCRO offers a program that is helpful to consider.
- Similarly, we help certify cyber experts in corporate governance to prepare then for the broader duties ahead as directors.
Provide Directors New Ways to Guide Management to Solve the Real Problem in Cybersecurity
We focus on skills to ask the right questions in our Cybersecurity Training programs.
- In a causal conversation – not in the board meeting -- gently ask the management team what they see as top problems in cybersecurity.
- You will most likely hear “changing threat landscape” (including ransomware), “emerging risks,” “social engineering,” “poor security culture” referring to general employees, “cloud/IOT/mobile devices,” and – the catch-all “poor cyber hygiene.” A people-aware management team will add “stress and burnout.”
- Then gently ask “why?” to get to the real root cause to solve the real problem. Our distinctive approach empowers board members to ask questions to solve the real problem.
- If you hear answers like “we need more tools or certifications,” keep gently asking “why?”
- This practice protects from making management feel set-up. The objective of a board member is to add value by asking more insightful questions – long before a breach occurs.
Whatever path you take, the objective is to end up at the nature of the system in which cyber risk lives. Most cyber pros are set up to FAIL because the methods used are not appropriate for the nature of the system. Compliance checks are failed methods. In the famed Fishbone Diagram, Environment drives the Method.
This discovery is important because many cyber pro methods and math lag by decades (sometimes a century) behind those used in other professional disciplines. This is the why surveys of cyber pros frequently report stress and burnout – causing breaches.
The simpler way is to apply Industrial-Strength Design Thinking that has existed in the U.S. since at least the mid-1800s. This empowers board members to empower management who them empower cyber pros. Cyber pros can better protect companies and people from danger when through more insightful and helpful questions of management when corporate board members bring their whole selves (personally and professionally) to discussions of cyber in the board room.
When board members are confident about systems design for a purpose in which they have lived for years, then they can more easily apply it to cybersecurity. This empowers board members to guide management to prevent breaches by empowering cyber pros. We help directors practice this in our programs to draw from peoples’ professional and personal backgrounds to understand systems designed for a purpose.
We prepare and certify cyber talent to serve on boards. We also provide education programs for boards. Contact us to learn how we can help.
-----------------------------------------
*https://www.diligentinstitute.com NightDragon and the Diligent Institute, the research and think-tank arm of executive software developer Diligent
Brian Barnier provides Boardwise clients with programs to address risk management, cybersecurity and AI-ML Decision science. A published author on all areas of risk management, he educated governments on these topics on behalf of the World Bank and teaches data science graduate seminars at City University in NY.
|