CISOs Into Americas Boardrooms
The SEC Is About To Force CISOs Into America’s Boardrooms
This year is the twentieth anniversary of the U.S. legislation known as The Sarbanes-Oxley Act (SOX). The SEC moved quickly on SOX given the existential threat facing U.S. capital markets from a potential collapse in financial reporting confidence. Among other things, SOX brought significant transformation to the corporate boardroom.
One of the most impactful things it transformed was board composition when it required disclosure of boardroom financial expertise. This had the effect of introducing finance and accounting aptitude onto many, if not most corporate boards for the first time. Remarkable in hindsight is that it was only twenty years ago when it was a novel concept for U.S. public company corporate boards to have a director in the boardroom who understood a financial statement and accounting issues.
The next corporate director competency that the SEC is now transforming is boardroom cyber expertise.
The SEC recently proposed new rules that would require U.S. public company boardroom disclosure of corporate directors with cybersecurity expertise. This is currently a relatively rare skillset within the ranks of most corporate boards, not just in the U.S. but worldwide.
While rare, some well-known U.S. companies already understand the value of having deep cybersecurity competencies on their board. Companies such as FedEx, Hasbro, PNC and UPS have transformed their approach to governing cyber risk, starting with boardroom cyber expertise.
Why did these boards get it, while so many others have not? Why are we now at a point where the SEC has to force corporate boards to add this skillset to their director ranks?
I recently interviewed former IBM executive and current U.S. public company corporate director Rodney Adkins on his first-hand experience with the leading edge of transforming digital and cyber risk oversight in the boardroom. I initially asked him about the need for deep and broad digital and cyber directors on boards and he commented, “Boardroom skills need to reflect the patterns of the marketplace.”
With the World Economic Forum estimating that 60% of economic growth is being driven by digital technologies, governing the creation of this value and how it needs to be protected should already be boardroom table stakes. But it isn’t yet. Rod explained the lag in corporate governance over cyber risk this way:
“The trigger for the boards that I’m on came from an unexpected place. It wasn’t the board that was the catalyst for governance reform. It was the management teams coming to the conclusion that they had to get a grip on cyber risk as a risk that was never going to go away. And then it all came together when boards realized their part in the cybersecurity system and the need to more effectively exercise their responsibilities.
We sort of woke up together as a result of some of the rising awareness and education on cyber risk we were experiencing. While the natural boardroom instinct to worry about some of these issues was there, it now helps enormously to have directors in the boardroom who have been operators in cybersecurity.”
Corporate governance is a system in and of itself that requires the right director skills, boardroom structure, and scope of risk oversight. With the rapidly changing cyber risk environment that faces every company, cyber risk presents clear and present equity, financial and litigation threats. Risk is heightened in companies that do not have corporate directors who understand these issues. And these issues are squarely in the interests of investors, customers and every corporate stakeholder which makes it an SEC issue.
These issues are significant enough that the SEC is now proposing to require disclosure of boardroom cyber expertise, as they did 20 years ago with financial expertise. I asked Adkins about the challenge of staying on top of both the changing cyber risk landscape and leading cybersecurity practices:
“While I’m on the boards of some large well known public companies, I recently joined the board of a private cybersecurity company NVISIONx exactly for this reason. NVISIONx focuses on systemic cyber risk at the data level. Data is the lifeblood of every digital system, and data that is stolen, held hostage, or even corrupted can introduce downstream risk into operational processes.
This helps me stay on the leading edge of these issues and by having someone like me with an operational IT and cyber background, as these topics come up in the boardroom, I can force more of the dialogue on what is really critical, what are the real issues, the exposures, our game plan and do we have the right level of investment and talent. It allows the conversation to be much richer.”
The proposed SEC rules for boardroom cyber expertise follow the approach taken by the SEC 20 years ago with financial expertise. Instead of focusing on job titles, expertise is about the depth of experience, competencies and formal education on these issues. The proposed SEC rules suggest that expertise be determined by:
- Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager or business continuity planner;
- Whether the director has obtained a certification or degree in cybersecurity; and
- Whether the director has knowledge, skills or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling or business continuity planning.
The SEC wants deep operational competencies in cybersecurity in the boardroom, as they did with financial expertise. Adding this director competency to U.S. public company boards will strengthen the boardroom as a critical control point in every company’s cybersecurity system. As happened with SOX, regulators around the world will also likely mirror this requirement, creating a global acceleration of cyber board transformation.