Adding Cybersecurity Expertise to Your Board

Most corporate boards lack directors with adequate skills to oversee cyber risk. New SEC regulations make correcting that deficiency more urgent.

Reading Time: 12 min 

Topics

  • Carolyn Geason-Beissel/MIT SMR | Getty Images

    Against a backdrop of persistent cyberattacks, and spurred on by new regulations, corporate boards are scrambling to build better capabilities to oversee cybersecurity risk management.1 While this is good news for healthy corporate governance, it presents immediate challenges to companies looking to identify and recruit new directors with the right mix of skills, experience, and contacts.

    Given the significance of cybersecurity risk, increased attention to board skills and composition in this area is overdue. Respondents to PwC’s 2023 Annual Corporate Directors Survey rated cybersecurity risk second only to strategic/disruptive risks as a significant challenge to their board, and 64% reported that they had increased the amount of board meeting time devoted to the topic in the past 12 months. However, only 19% said they had added a new board member with cybersecurity experience in the past year.2

    Boards of public companies that lack strategic expertise in cybersecurity might be more vulnerable to attacks by cybercriminals, and that exposure will soon be more evident to investors — and potential customers doing due diligence. In July 2023, the U.S. Securities and Exchange Commission adopted new rules that mandate prompt and comprehensive cybersecurity disclosures, beginning with 10-K forms filed after Dec. 15, 2023.3 The new rules mandate disclosures about how cybersecurity risks are identified and managed, and management’s role in implementing cybersecurity policies and procedures. Companies are now required to describe the board’s oversight of risks from cybersecurity threats and board directors’ level of cybersecurity expertise.4 Overall, the new rule is intended to improve investors’ awareness of both risk management practices and material cybersecurity incidents.

    Complex, ever-evolving cybersecurity risks that are intertwined with business risks require the focused attention of at least one board director with deep technology and business knowledge and experience. For example, decisions to use emerging technologies such as AI to gain operational efficiencies need to carefully weigh the potential for new security risks.

    The experience of a chief information security officer (CISO) of a large national health organization makes it clear how much a well-qualified board director can help advance the board’s cyber practice. Speaking to us about the former CISO of a competitor who has joined his company’s board, he said, “She knows the industry and has seen how others operate, and she has a wealth of business experience. She’s an incredible resource that just fits right in.” He praised the board member’s ability to translate difficult concepts for nontechnical people, as well as her willingness to ask him, the CISO, very pointed questions. “What she brings to the table is the knowledge to understand, translate, and prod. All of those ensure the board gets what they need and I don’t get bogged down in minutiae,” he concluded.

    As the example shows, a board director with deep cybersecurity expertise can collaborate closely with senior management and IT teams and provide valuable insights into identifying vulnerabilities, assessing risk, and developing solutions. They can also play a critical leadership role in overseeing regular security audits, ensuring that contracts associated with business objectives are reviewed for cybersecurity implications, and helping the IT team navigate incident response efforts alongside other teams, such as legal.

    Board Cybersecurity Strategists Need Diverse Capabilities

    The problem is that while many boards know they need to bring on a cybersecurity-savvy director, they don’t quite know what the role entails or what experience is required. Below, we’ll discuss key facets of the role of a cybersecurity specialist on the board and the qualifications to look for. These insights should aid the board as it seeks to add someone who will make a positive impact on the company’s cybersecurity resilience and demonstrate to investors that these material risks are well managed.

    A good cyber strategist is not just technically competent. They have a powerful mix of technical know-how and business understanding, along with communication prowess and crisis management skills. Based on our research, we’ve compiled a 5-point framework of skills required to effectively bolster the board’s competence in cyber oversight. (See “Board Cyber Strategist Skills Constellation.”) We’ll look at each of these in turn. For each capability area, we’ve compiled a list of relevant qualifications. To use these as a scoring rubric in evaluating candidates, award 2 points if a candidate is highly qualified, 1 point if qualified, and no points if they lack a particular qualification.

    Board Cyber Strategist Skills Constellation

    A board director who can contribute effectively to improved cybersecurity oversight must have a well-balanced and varied portfolio of skills and experiences.

    1. Technical expertise enriched by industry context.

    The most fundamental qualification for an expert board member is an understanding of the nitty-gritty details of cybersecurity threats, vulnerabilities, technical best practices for improving defenses, and resilience. That knowledge also affords them insight into how the attack could manifest in a particular business environment: what attackers want, and what they are likely to target. They should also have a sophisticated understanding of sharing cyber threat intelligence (CTI) across organizational boundaries. The cyber strategist understands the value that timely CTI affords and that applying the principle “if you see something, say something” — even to competitors — can reduce ripple effects in the supply chain of information, products, and services. (After all, the company might be both a provider and consumer in that supply chain.)

    Cybersecurity is not only about responding to immediate threats but also involves planning ahead and implementing preventive measures guided by industry standards and regulations, such as those from the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), the Center for Internet Security, and the Cybersecurity and Infrastructure Security Agency.5 Such frameworks and regulations offer globally recognized guidelines for creating secure systems, and familiarity with them is an important part of technical competence in this area. The cyber strategist should also have a solid grasp of standards relevant to the organization’s particular industry.

    Evaluate candidates for technical experience that demonstrates their ability to advise on strategic decisions. Look for the following:

    • Positions held (such as CISO, CTO, CIO, chief data officer, or security manager) that require familiarity with foundational cybersecurity skills and tools.
    • Experience working on cybersecurity technical standards, government policy, or advisory working groups (such as NIST, ISO 27001, or IANS Research).
    • Education (such as a bachelor’s to advanced degree in cybersecurity, computer science, or information systems).
    • Credentialed technical training and certification, such as Certified Information Security Manager (CISM) or Certified Information Systems Security Professional (CISSP).

    2. Business acumen, including risk management.

    Aligning cybersecurity goals with broader business objectives requires strategic thinking about reducing risks in achieving those objectives. For example, the cyber strategist can identify and assess prospects and risks associated with integrating enterprise technology acquired from mergers and acquisitions.

    As the CEO of a tech company said to us, “We need someone who understands business. … They have to be able to translate what the operational and bottom-line financial risk is for non-cyber board members.”

    The cyber strategist should have a thorough understanding of strategic business objectives and be able to articulate how cybersecurity assets can help achieve those objectives. Further, an ability to understand and assess the “blast radius” of potential cyber events — particularly how they might ripple through the company’s entire value chain — is crucial.

    Given the relative ascendancy of cybersecurity professionals when it comes to the executive and C-suite levels, many candidates might lack broader business experience. They can, however, prepare for a move to directorship via one of numerous focused training programs.

    Evaluate candidates’ business acumen related to cybersecurity by looking for the following:

    • Demonstrated understanding of laws and regulations related to data privacy and breach protections, domestically and internationally, such as the European Union’s General Data Protection Regulation and the California Consumer Privacy Act.
    • Demonstrated ability to manage cybersecurity investments and budgeting.
    • Directorship training and certification, by the National Association of Corporate Directors’ Accelerate program or a credentialed academic institution program, for instance.

    3. Effective communication across stakeholder groups.

    The cyber strategist’s communication skills are perhaps most essential to helping the board understand the materiality of cyber risks and their potential financial, legal, and reputational consequences. As one CISO and board member put it to us, no one on the board truly understands what it means to have 200-plus unpatched vulnerabilities, but they do understand what it means to have an aggregate liability of $400 million if those vulnerabilities are not addressed. The expert board member should be able to provide that kind of context, with help from the CFO and general counsel.

    An impactful cyber strategist’s communication extends in both directions — to the board on behalf of the technical teams, and to the cybersecurity or other technical personnel on behalf of the board. Along those lines, the cyber strategist should coach the CIO, CISO, and others and build trust so that they are effective at explaining relevant cybersecurity matters in nontechnical terms and comfortable sharing information with the board or answering questions. Fostering this type of communication helps promote a culture that gives the CISO confidence in coming to the board with clear requests and supplying the details needed to back them up.

    Evaluate candidates’ ability to communicate with both technical and business stakeholders by considering the following:

    • Degree of experience educating C-suite leaders across industries and company types about cybersecurity risk.
    • Experience using models such as Factor Analysis of Information Risk to quantify cybersecurity risk in order to support strategic decision-making.
    • Experience coaching security personnel in management communications.

    4. A strong network in the cybersecurity community.

    It’s essential for an effective cybersecurity specialist on the board to have strong ties to peers and key stakeholders in research and government who are likewise focused on these risks. Maintaining a robust network is key to the ability to keenly scan the evolving threat environment and use those insights to inform strategic business decisions, because much useful information is shared by trusted contacts.

    “You must have a good reputation in the ecosystem about using the intel you get and giving good intel,” a CISO and veteran board member told us. “I can go to my colleagues at other companies and probe for what they are seeing as top priorities for the business. I am always in the mix of what’s the latest, from Google chats, blogs, and professional threat-intel groups, and I have a good relationship with my local FBI. I am proactive about getting the intel on what might be a threat. I can then target what I think the board needs to hear.”

    A cyber strategist should have their ear to the ground in their close-knit circle of peers, even those deemed competitors (though, to avoid triggering antitrust concerns, the cyber strategist should consult with the organization’s counsel in the latter case). They know the value of being among the first to contribute threat information to the ecosystem because it builds relationships where such intelligence is shared reciprocally. They should also engage with relevant consortia and public sector authorities, both to anticipate nefarious activity and to stay abreast of industry standards and reporting requirements.

    The cybersecurity specialist on the board might need to advocate for sharing information outside the company if directors are reticent, by explaining how sharing CTI benefits the community as a whole and the company’s own access to others’ CTI in particular.

    Evaluate the depth and breadth of a candidate’s network by asking about the following:

    • Degree of experience engaging in public/private cyberthreat intelligence alliances, such as Information Sharing and Analysis Centers (ISACs).
    • Degree of engagement with other professional cybersecurity organizations.
    • Extent of their peer network.
    • Extent of their contacts in law enforcement and threat research.

    5. Innovative thinking and awareness of emerging technologies.

    “As a strategist, you have to have your ear to the ground about what’s happening in the industry — what’s hot and what folks are blindly implementing to capture new markets,” one of our CISO board member sources told us. “All new technology has unknown cyber implications, and even if you sit on the board of a very forward-thinking, innovative company, sometimes you need to be the one to rein in the board.” That might mean suggesting that the company’s security specialists do a thorough risk analysis on a new AI tool or system reconfiguration, he added.

    The cyber strategist should proactively stay informed about the latest trends and advancements in technology, particularly those relevant to the organization’s industry. This includes keeping abreast of emerging technologies to identify potential opportunities for innovation and to understand the associated risks — for example, monitoring developments in quantum computing that are expected to eventually break the data encryption methods now in use. When new technologies or ventures are proposed, the cyber strategist should advocate for assessing the potential cybersecurity implications.

    The strategist should also work closely with the operations team to understand their proposed strategies and initiatives involving emerging technologies. They can provide guidance and expertise on cybersecurity matters and help operations assess the potential risks and implications of their proposals. They are also aware of regulatory requirements and understand the importance of keeping the legal team informed of the cyber strategy. By collaborating, they can strike a balance between innovation and risk management.

    Evaluate candidates’ capacity to anticipate the risks and benefits of emerging technologies by considering the following:

    • Ability to articulate the cybersecurity issues with specific emerging technologies and areas of innovations relevant to the company
    • Ability to assess organizational capability for securely leveraging AI in operations, describe the risks to senior management, and propose mitigations.
    • Understanding of how to leverage new technologies to improve cybersecurity operations
    • Ability to assess organizational efforts in network architecture protections at the enterprise level.

      By evaluating cyber-strategist board candidates in these five key areas — communication, technical knowledge, business, networking, and innovation — the board increases the likelihood of bringing on a new director who will facilitate effective discussions, receive informed advice on critical cybersecurity issues, and make well-considered strategic decisions. But there is one more essential quality that should go without saying: Ethical guidance and conduct should be the cornerstone of cyber strategy and decision-making, as it should be for board members generally. The competencies we’ve reviewed in this article are only truly beneficial when anchored in unwavering ethical principles.

    Topics

    References

    1. SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies,” U.S. Securities and Exchange Commission, July 26, 2023, www.sec.gov; “National Cybersecurity Strategy,” PDF file (Washington, D.C.: The White House, March 2023), www.whitehouse.gov; and “Executive Order on Improving the Nation’s Cybersecurity,” The White House, May 12, 2021, www.thewhitehouse.gov.
    2. Today’s Boardroom: Confronting the Change Imperative,” PDF file (London: PwC, 2023), www.pwc.com.
    3. Fact Sheet: Public Company Cybersecurity Disclosures; Final Rules,” PDF file (Washington, D.C.: U.S. Securities and Exchange Commission, 2022), www.sec.gov.
    4. M. Galligan and C. Oven, “A New Chapter in Cyber,” Deloitte, June 2022, www2.deloitte.com.
    5. Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA),” Cybersecurity & Infrastructure Security Agency, accessed Nov. 21, 2023, www.cisa.gov.

    More Like This

    You must to post a comment.

    First time here? : Comment on articles and get access to many more articles.