The U.S. Securities and Exchange Commission (SEC) is expected to introduce a rule requiring demonstration of cybersecurity expertise at the board level for public companies.
New SEC rules on cybersecurity within public companies, proposed in March 2022, are expected to be published soon. The details are not known but are thought to include a requirement to disclose the level of cybersecurity expertise at the board level. The open question is ‘How can board level cybersecurity expertise be best achieved?’
A study by the CAP Group in February 2023 (published by the Forbes Technology Council) found that currently “up to 90% of companies in the Russell 3000 lack even a single director with the necessary cyber expertise.” The simplest and speediest solution would be to promote the existing CISO to the board – but that would require transplanting a focused operational executive into a strategic business advisory role.
A subsequent study by IANS Research, Artico Search, and the CAP Group published in June 2023 (CISOs as Board Directors: CISO Board Readiness Analysis – PDF) looked at CISO readiness for a board position among Russell 1000 companies. The result is mixed: 14% are ideal candidates, 33% are strong candidates, and 52% are emerging candidates.
But this doesn’t address three fundamental questions. Should the CISO be promoted to the board? Would an operational CISO make a good board member? And finally, what other options are available to fulfill the SEC requirements?
Opinion among existing CISOs (albeit not necessarily in public companies) and other executive leaders varies. Nobody doubts the need to increase board level cyber expertise, but there is no single preferred route. “More cybersecurity expertise is needed on and across boards,” comments Nicholas McKenzie, CISO at Bugcrowd; “but that doesn’t necessarily mean dropping in a ‘board ready’ CISO to achieve the desired effect of the SEC’s proposal. The Nirvana state that needs to be aimed for is when the board is talking ‘cyber speak’ themselves, and as a collective, and not having it presented to them (by a CISO or other).”
This won’t be easy. “The best way to get cybersecurity expertise on the board is for the board to have it natively and not rely on the CISO whom they should be governing,” comments John Bambenek, principal threat hunter at Netenrich. He is not in favor of cybersecurity training for the board in general. “Frankly, it is not ideal to train an existing board member because experience truly does matter.”
But he offers one option. “There is a growing number of experienced cybersecurity executives and founders with board skills who are retired or semi-retired that can help fill this gap.” That is, recruit existing board-ready, cybersecurity savvy outsiders.
There is also a practical issue when thinking about promoting the existing CISO – the short tenure of existing CISOs. “CISOs often have limited tenure, therefore their ability to set a long term board direction is tenuous,” adds Bambenek. According to a survey published by Cybersecurity Ventures in 2022, 45% of CISOs tend to leave their current position within 18 months.
Promoting the CISO to the board may or may not be enough to satisfy the SEC. The real solution will be to increase general board level understanding of cybersecurity. Ram Elboim, CEO at Sygnia, recommends a three-pronged solution: adding someone with good cybersecurity knowledge to the board; improving the general level of cyber awareness; and holding periodic tabletop exercises to demonstrate the effect of cybersecurity incidents.
The first could be achieved by promoting the CISO, or by bringing in a new board member with the relevant experience and capabilities. “While all board members should be educated on cybersecurity concerns facing their business, boards should work to bring in tenured expertise,” suggests Randy Watkins, CTO at Critical Start.
If the existing CISO is to be promoted, “CISOs that have expertise in other business risk areas (e.g., financial risk, market risk, operational risk, reputation risk, etc.) will be more qualified to serve as a board member,” says Sunil Yu, CISO at JupiterOne.
Elboim’s second prong would be ensuring that board members understand the CISO’s issues through increased security awareness. But awareness training hardly works for staff members, never mind board members – so training alone will not be enough.
It is increasingly important for CISOs to speak to the board in the business language (and this remains essential). “Public companies that attempt to train existing board members with cybersecurity expertise will need to ensure that their CISO can translate security concerns using terminology and examples that are relatable to those board members,” says Yu.
But the SEC rule will make it equally important for business to be able to talk to the CISO in security terms. “In the final analysis,” says Elboim, “it is the CISO’s job to protect the organization. It is not to consider the business strategy of the organization.” But the SEC will require better integration between board and security – and that must come from both sides. “It’s both top-down and bottom-up,” he continues. “That would be the best approach.”
Improved awareness will help, but probably not satisfy the SEC on its own – it’s too nebulous. Elboim’s third prong is periodic documented tabletop exercises for the board. “Some kind of tabletop exercise that walks the board members through an incident, examining how the organization should respond, and what they know about their own policies. What do they know about the people who should become involved with an incident? How should the organization work with third parties like law firms and external PR consultants, or even their own internal HR department? So, the board should be walked through everything that has to be done in relation to an incident – perhaps once every few months with different types of incident.” That, he suggests, will raise the level from awareness to the net level: understanding.
We will need to wait for the precise wording of the SEC rule when it is published. Its purpose, however, is already clear – to demonstrably improve cybersecurity and awareness in long term business strategies within public companies. Precisely how this will be satisfied is likely to differ between different organizations. One danger is that large, well-funded public companies may start to poach the better qualified CISOs from smaller private firms, adding more to the existing general problem of CISO recruitment.
Related: Why CISOs Make Great Board Members
Related: Prepare for What You Wish For: More CISOs on Boards
Related: Four Things Your CISO Wants Your Board to Know
Related: Tactical vs Strategic: CISOs and Boards Narrow Communication Gap