Anticipations are high for a new directive from the U.S. Securities and Exchange Commission (SEC) requiring public companies to illustrate board-level competence in cybersecurity.
The forthcoming SEC regulations, proposed in March 2022, concerning cybersecurity in public companies are speculated to contain a mandate for revealing the extent of cybersecurity proficiency at the board level. This leads to the question, ‘What is the most effective way to cultivate board-level cybersecurity expertise?’
As per a study conducted by the CAP Group in February 2023 (published by the Forbes Technology Council), “up to 90% of companies in the Russell 3000 lack even a single director with the necessary cyber expertise.” A quick and straightforward solution would be to elevate the incumbent CISO to the board. However, this necessitates transforming a primarily operational executive into a strategic business advisory role.
Another study by IANS Research, Artico Search, and the CAP Group in June 2023 (CISOs as Board Directors: CISO Board Readiness Analysis – PDF) assessed the readiness of CISOs for board positions in Russell 1000 companies. The findings were varied: 14% were perfect candidates, 33% strong candidates, and 52% were developing candidates.
This, however, leaves three fundamental questions unanswered. Should the CISO be promoted to the board? Would a functioning CISO serve well as a board member? Lastly, what other alternatives exist to fulfill the SEC mandates?
Opinions differ among existing CISOs (although not necessarily in public companies) and other executive leaders. Everyone agrees on the need to amplify board-level cyber expertise, but there’s no consensus on the best approach. Nicholas McKenzie, CISO at Bugcrowd, comments, “More cybersecurity expertise is needed on and across boards. But that doesn’t necessarily mean dropping in a ‘board ready’ CISO to achieve the desired effect of the SEC’s proposal. The ideal state is when the board itself can speak ‘cyber language,’ as a collective, instead of relying on a presentation from a CISO or others.”
This task is not straightforward. John Bambenek, principal threat hunter at Netenrich, comments, “The best way to get cybersecurity expertise on the board is for the board to possess it inherently and not depend on the CISO, whom they should be overseeing.” He doesn’t favor cybersecurity training for the board in general. “Frankly, it is not ideal to train an existing board member because experience truly does matter.” However, he suggests one option: “There is a growing number of experienced cybersecurity executives and founders with board skills who are retired or semi-retired that can help fill this gap.” In other words, recruit board-ready cybersecurity experts from outside the organization.
Moreover, there’s a practical issue when considering promoting an existing CISO – their short tenure. Bambenek adds, “CISOs often have limited tenure; therefore, their ability to guide long-term board direction is dubious.” A 2022 Cybersecurity Ventures survey revealed that 45% of CISOs usually leave their current role within 18 months.
Promoting the CISO to the board might not completely satisfy the SEC. The real solution is enhancing the overall board-level comprehension of cybersecurity. Ram Elboim, CEO at Sygnia, suggests a three-fold solution: enlisting someone with proficient cybersecurity knowledge to the board; elevating the general level of cyber consciousness; and conducting regular tabletop exercises to demonstrate the repercussions of cybersecurity incidents.
The first goal could be achieved by either promoting the CISO or recruiting a new board member with the required skills and experience. Randy Watkins, CTO at Critical Start, suggests, “While all board members should be educated on cybersecurity concerns facing their business, boards should strive to bring in experienced expertise.”
If the existing CISO is to be promoted, Sounil Yu, CISO at JupiterOne, says, “CISOs that have expertise in other business risk areas (e.g., financial risk, market risk, operational risk, reputation risk, etc.) will be more qualified to serve as a board member.”
Elboim’s second point is about ensuring that board members grasp the CISO’s challenges through increased security awareness. But this alone won’t be enough as awareness training has proven to be less effective for both staff and board members.
The SEC rule will make it equally important for the business to be able to communicate with the CISO in security language. Yu says, “In the final analysis, it is the CISO’s job to protect the organization. It is not to consider the business strategy of the organization.” Elboim adds, “It’s both top-down and bottom-up. That would be the best approach.”
The third aspect of Elboim’s approach involves periodic tabletop exercises for the board. This will help board members understand how the organization should respond during an incident and what they know about their own policies. Elboim suggests, “This should be done perhaps once every few months with different types of incidents.” This, he believes, will elevate the level of understanding from awareness.
The exact wording of the SEC rule will be known only when it is officially published. Its main objective, however, is clear: to demonstrably enhance cybersecurity and awareness in the long-term business strategies of public companies. The way this objective will be achieved is likely to vary among different organizations. The risk lies in the possibility of larger, well-funded public companies poaching better-qualified CISOs from smaller private firms, exacerbating the existing problem of CISO recruitment.