It’s been eight and half years since I first wrote about the need for security leadership representation in the boardroom. I then revisited the topic last year, when the SEC initially proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting.
Now, as the SEC cyber incident disclosure rules come into effect, organizations will finally be forced to seriously consider giving security leaders a seat at the table. It’s the next logical step to be able to comply with the disclosure and oversight requirements as the new guidelines detail.
The positives of SEC involvement
Feedback from industry professionals highlights the pros and cons of the new SEC rules. But since the new rules are inevitable and disclosure reports are due beginning December 2023, the time has come to focus on the positives for the industry that the SEC is stepping-in.
Having some standardization of terminology, for example the definition of an incident and what is material and thus disclosure-worthy, will enable executive leadership to focus on exactly what is needed in the boardroom. This should save organizations from spending cycles setting their own policies, procedures, and reporting practices. The other positive is that the initiative will likely drive investments in security technology, which is a good thing for security professionals and organizations as they will be more protected.
The implications to board composition
At the same time, the guidelines plainly state that organizations will be required to “describe the board of directors’ oversight or risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cyber threats.” This is incredibly difficult to do given the dearth of security expertise on boards. Brian Krebs recently updated research he did back in 2018 of Fortune 100 companies that list a CSO or CISO in executive leadership positions on their websites. At the time, only five of the Fortune 100 did. Using the latest available list (2022), he found there are still only five! Organizations including IANS and Heidrick & Struggles have conducted studies of their own that also reveal security leaders have little representation at executive levels.
We all know that most companies employ a CISO or CSO these days, and that cybersecurity is a topic on the board’s agenda. But if that individual is not actively sitting on the board, how confidently can that company state they have cyber risk oversight capabilities and management expertise in the boardroom?
A tangible win-win
There’s also an interesting dynamic at play from the CISO perspective. Salt Security’s State of the CISO 2023 report found that topping the list of personal challenges CISOs face are concerns that a security breach in their organization may result in personal litigation and liability. The fear is so acute that some CISOs are opting for roles below the CISO level or requesting indemnification. Given legal proceedings against the CISO of SolarWinds and the former CSO of Uber, this reaction comes as no surprise and will fuel further concern.
However, at a time when organizations need their experienced CISOs more than ever, the SEC ruling can help turn this challenge into an opportunity. Executive leadership can stem the tide of CISOs looking to step back to reduce their own personal risk by offering a board seat that extends directors and officers insurance to them and helps allay some of their legal concerns. Elevating CISOs to the board also demonstrates in no uncertain terms that the board is prioritizing cybersecurity. Invitations to present to the board at select times and investment reviews only during budgeting season will become a thing of the past. The stage is set for collaborative assessment of the people, processes, and technologies in place to protect the business and continuous review of the dynamic threat landscape and the investments needed to mitigate risk.
SEC involvement is the catalyst we need to get security representation in the boardroom – at long last! As security professionals, we should welcome the opportunity as it means the responsibility of protecting the business is finally recognized as a key enabler of business strategy and treated as such.