When you hear "cybersecurity" you may think of a punk in a hoodie in mom's basement clacking the keyboard and hacking the government. Here's another image to fix in your mind: an experienced chief information security officer (CISO) in a meeting of the board of directors, educating their peers and advocating for strategy. This image should become more prevalent, thanks to new rules proposed by the Securities Exchange Commission (SEC) — rules that will increase the accountability of boards of directors regarding cybersecurity.
This three-part article will cover what you need to know about ensuring your board of directors has the cybersecurity knowledge it needs:
Part 1: We'll discuss the value of having a cybersecurity expert on the board and how to find such an expert for your board.
Part 2: We'll get into what board members need to understand.
Part 3: We’ll look at how you, as a cybersecurity expert, might go about finding a board seat.
The good news is that there are very talented cybersec professionals in the world with a desire to give back by helping boards of directors make informed decisions.
The Money Problem
According to IBM's Cost of a Data Breach Report 2021, the average cost last year rose from $3.86 million to $4.24 million, the highest ever since the report was first published 17 years ago. Many mid-sized companies would find this cost devastating. Are boards of directors (BoDs) accountable? They definitely are subject to legal action, as we saw when investors sued SolarWinds' board members in 2021. The suit claimed that board members were aware of risks but failed to act.
This accountability makes sense. While BoD arrangements and responsibilities vary among public and private companies, board members generally represent the interests of shareholders or private investors. They oversee operations at a high level and have the authority to hire and fire the CEO and other senior leaders. That makes them accountable for financial performance and for protecting the company's assets. Just as the board would be responsible for advocating strategy that caused the company to lose money or assets, the BoD is responsible for protecting the company from losses stemming from a cybersecurity breach.
Why the SEC Thinks You Need a Cybersecurity Expert
Because of this, the SEC proposed new rules for boards of directors in 2022 that will increase the extent to which public companies disclose their security strategies as well as cybersecurity breaches. Boards will be expected to consider cybersecurity as part of overall company strategy. In addition, boards will need to provide assurance to investors that they regularly consider the risks to the privacy of multiple internal and external stakeholders as well as the economic well-being of the company. Even before the SEC action, in 2017, the World Economic Forum published global recommendations for BoDs to help them treat cybersecurity as an important strategic consideration.
According to the SEC, all board members should have general knowledge of cybersecurity -- in other words, it's not enough just to have a single cybersec expert on your board -- but having a subject matter expert is critical to keeping the issue front and center. This expert also can take point on ensuring other members are up to date on the issues in a field that is constantly changing.
Another reason to add a cybersec expert to your board is to enhance the diversity of input in the decision-making process. It is well known that cross-functional teams out-perform single-function teams regarding decisions and solutions at the operations level, so it stands to reason that a BoD should also include people from diverse functional backgrounds (as well as diversity in gender identity, ethnicity, age, etc.).
How to Recruit a Cybersec Director
A good first step is to evaluate the mix of directors on your board so that you can fill any gaps when adding a new director — a single individual can bring more to the mix than just cybersec expertise. Factors to consider may include other functional expertise (finance, operations, marketing, etc.); board experience; diversity, equity and inclusion (DEI) goals; industry background and more. Keep in mind that you DON'T want everyone to be from your industry. For example, I know of a company in industry X that has a board member who is a cybersecurity expert in the automotive industry.
Once you know what you are looking for, create a job posting to highlight the ideal profile and to "sell" the opportunity to candidates. If you're conducting the search internally, you can take advantage of board members' networks to identify candidates. However, make sure those networks include the diversity you want. Most of us tend to connect with people who have similar backgrounds and interests. This is one reason boards work with executive search firms. You can also find candidates by connecting with professional cybersecurity associations like CSO Online, ISSA, ISACA, and others.
How to Interview Strategically
Once you have identified candidates, you'll need to interview them. You'll probably want board members and company officers to be involved in the interview process. At the same time, as with any position in today's highly competitive market, avoid having too many interviews. Prior to the interviews, decide what questions to ask and who will ask them. This will help you make sure all salient information is covered while also avoiding repetition. For insight into what kind of knowledge a candidate should -- about board responsibilities in general and about cybersecurity in particular — see the part 2 of this article.
Define the decision-making process in advance of making the actual decision. This will help avoid confusion and unnecessary conflict. Once you've made your choice, be proactive about helping the new director integrate effectively with the rest of the board and ensure that the rest of the board respects their unique expertise.
Check back soon for Parts 2 and 3 of this article!