CISOs Into Americas Boardrooms
The SEC Is About To Force CISOs Into America’s Boardrooms
What changes will boardroom cyber expertise bring about to the cyber industry, cyber risk, and corporate governance? An article by Bob Zukis via Forbes
This year is the twentieth anniversary of the U.S. legislation known as The Sarbanes-Oxley Act (SOX). The SEC moved quickly on SOX given the existential threat facing U.S. capital markets from a potential collapse in financial reporting confidence. Among other things, SOX brought significant transformation to the corporate boardroom.
One of the most impactful things it transformed was board composition when it required disclosure of boardroom financial expertise. This had the effect of introducing finance and accounting aptitude onto many, if not most corporate boards for the first time. Remarkable in hindsight is that it was only twenty years ago when it was a novel concept for U.S. public company corporate boards to have a director in the boardroom who understood a financial statement and accounting issues.
The next corporate director competency that the SEC is now transforming is boardroom cyber expertise.
The SEC recently proposed new rules that would require U.S. public company boardroom disclosure of corporate directors with cybersecurity expertise. This is currently a relatively rare skillset within the ranks of most corporate boards, not just in the U.S. but worldwide.
While rare, some well-known U.S. companies already understand the value of having deep cybersecurity competencies on their board. Companies such as FedEx, Hasbro, PNC and UPS have transformed their approach to governing cyber risk, starting with boardroom cyber expertise.
Why did these boards get it, while so many others have not? Why are we now at a point where the SEC has to force corporate boards to add this skillset to their director ranks?
I recently interviewed former IBM executive and current U.S. public company corporate director Rodney Adkins on his first-hand experience with the leading edge of transforming digital and cyber risk oversight in the boardroom. I initially asked him about the need for deep and broad digital and cyber directors on boards and he commented, “Boardroom skills need to reflect the patterns of the marketplace.”
With the World Economic Forum estimating that 60% of economic growth is being driven by digital technologies, governing the creation of this value and how it needs to be protected should already be boardroom table stakes. But it isn’t yet. Rod explained the lag in corporate governance over cyber risk this way:
“The trigger for the boards that I’m on came from an unexpected place. It wasn’t the board that was the catalyst for governance reform. It was the management teams coming to the conclusion that they had to get a grip on cyber risk as a risk that was never going to go away. And then it all came together when boards realized their part in the cybersecurity system and the need to more effectively exercise their responsibilities.
We sort of woke up together as a result of some of the rising awareness and education on cyber risk we were experiencing. While the natural boardroom instinct to worry about some of these issues was there, it now helps enormously to have directors in the boardroom who have been operators in cybersecurity.”
Corporate governance is a system in and of itself that requires the right director skills, boardroom structure, and scope of risk oversight. With the rapidly changing cyber risk environment that faces every company, cyber risk presents clear and present equity, financial and litigation threats. Risk is heightened in companies that do not have corporate directors who understand these issues. And these issues are squarely in the interests of investors, customers and every corporate stakeholder which makes it an SEC issue.
These issues are significant enough that the SEC is now proposing to require disclosure of boardroom cyber expertise, as they did 20 years ago with financial expertise. I asked Adkins about the challenge of staying on top of both the changing cyber risk landscape and leading cybersecurity practices:
“While I’m on the boards of some large well known public companies, I recently joined the board of a private cybersecurity company NVISIONx exactly for this reason. NVISIONx focuses on systemic cyber risk at the data level. Data is the lifeblood of every digital system, and data that is stolen, held hostage, or even corrupted can introduce downstream risk into operational processes.
This helps me stay on the leading edge of these issues and by having someone like me with an operational IT and cyber background, as these topics come up in the boardroom, I can force more of the dialogue on what is really critical, what are the real issues, the exposures, our game plan and do we have the right level of investment and talent. It allows the conversation to be much richer.”
The proposed SEC rules for boardroom cyber expertise follow the approach taken by the SEC 20 years ago with financial expertise. Instead of focusing on job titles, expertise is about the depth of experience, competencies and formal education on these issues. The proposed SEC rules suggest that expertise be determined by:
- Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager or business continuity planner;
- Whether the director has obtained a certification or degree in cybersecurity; and
- Whether the director has knowledge, skills or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling or business continuity planning.
The SEC wants deep operational competencies in cybersecurity in the boardroom, as they did with financial expertise. Adding this director competency to U.S. public company boards will strengthen the boardroom as a critical control point in every company’s cybersecurity system. As happened with SOX, regulators around the world will also likely mirror this requirement, creating a global acceleration of cyber board transformation.
“The complexity of this area is partly to blame for why board reform is moving so slowly,” according to Rod Adkins. “This is a very demanding area and most companies now recognize that cyber-threats can cause serious harm. But changing the trajectory is a lot about resources, as this ramps up. You need people who understand this space and have a much deeper working practitioners’ knowledge of these issues.”
Based on Rod’s experience, committee transformation also usually accompanies the addition of these skills into the boardroom. Boardroom transformation over cyber risk doesn’t just stop with having cyber skills in the boardroom. Governance itself is a system that relies upon the right organizing structure for the director’s activities and the right focus on risk.
Over 200 boards in the U.S. R3000 now have some form of technology or cybersecurity committee on their board. This organizing principle brings greater task efficiency, focus, and accountability to the committee’s mandates. While many boards still follow the lagging practice of tasking their audit committee with cyber-risk oversight. This is a practice that the SEC’s acting chief accountant has questioned.
While there can often be an unfounded bias that cyber executives are technical specialists, understanding cyber risk requires a strong understanding of where business value is coming from along with how to protect it. Given the significant role that every company’s digital business system has on revenue and profitability, bringing cyber expertise into the boardroom is now corporate governance table stakes. This will not only strengthen the boardroom as a key cyber control over downside risk but also help companies create and drive value from digital transformation.
Cyber governance is an issue of national competitiveness and security and the SEC is now proposing common sense, and easily implementable changes that will force boards to do what they could have done themselves all along—effectively govern one of the most significant risks facing the organization.
Cyber expertise in America’s boardrooms is long overdue.
To read more related news article , click here
What is a CISO ?
A CISO, or Chief Information Security Officer, is primarily responsible for an organization’s cyber security initiatives. CISOs are technologists, who can participate in high-level initiatives as business strategists. CISO’s ensure that IT systems comply with security and regulatory requirements. In summary a C(I)SO is the top Cyber executive of an organization. The Role CISO requires a combination of technical and soft skills, such as business acumen, leadership, communications and relationship building.
CISO Responsibilities
Some of the day to day tasks of CISO’s are :
Security Operations
Real-time analysis of immediate threats, and triage when something goes wrong.
Cyber-risk and Cyber Intelligence
Keeping abreast of developing security threats, and helping the board understand potential security problems that might arise from acquisitions or other big business moves.
Data Loss and Fraud Prevention
Making sure internal staff doesn’t misuse or steal data
Security Architecture
Planning, buying, and rolling out security hardware and software, and making sure IT and network infrastructure is designed with best security practices in mind.
Identity and Access management
Ensuring that only authorized people have access to restricted data and systems.
Program Management
Keeping ahead of security needs by implementing programs or projects that mitigate risks—regular system patches, for instance.
Investigations and Forensics
Determining what went wrong in a breach, dealing with those responsible if they’re internal, and planning to avoid repeats of the same crisis.
Governance
Making sure all of the above initiatives run smoothly and get the funding they need—and that corporate leadership understands their importance.
CISO Responsibilities:
- A CISO is appointed to provide cyber security leadership and guidance for their organisation.
- The CISO within an organisation is typically responsible for providing strategic-level guidance for their organisation’s cyber security program and ensuring compliance with cyber security policy, standards, regulations and legislation. They are likely to work with a Chief Security Officer, a Chief Information Officer and other senior executives within their organisation.
- The CISO oversees their organisation’s cyber security program and ensures their organisation’s compliance with cyber security policy, standards, regulations and legislation.
- The CISO regularly reviews and updates their organisation’s cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities.
- The CISO implements cyber security measurement metrics and key performance indicators for their organisation.
- The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key business and ICT executives, which meets formally and on a regular basis.
- The CISO coordinates security risk management activities between cyber security and business teams
- Overseeing incident response activities
- Contributing to business continuity and disaster recovery planning
- Developing a cyber security communications strategy
- Working with suppliers and service providers
- Receiving and managing a dedicated cyber security budget
- Overseeing cyber security personnel
- Overseeing cyber security awareness raising
4 Cybersecurity Questions Boards Need to Address
1- How can IT help to make revenue ?
2- What is your Cybersecurity Strategy ?
3.As a board, what is our plan to develop in the areas in which we’re lacking?
4. Does the board has the right committee to understand cyber matters ?
More about CISOs , click here
About SEC
The mission of the SEC is to protect investors; maintain fair, orderly, and efficient markets; and facilitate capital formation. The SEC strives to promote a market environment that is worthy of the public’s trust.
CISOs Into Americas Boardrooms
