It’s becoming rare that a day goes by without hearing about a major cybersecurity breach of some kind. Board directors are painfully aware that they need to be more active and better informed around the topic of cybersecurity, which is dominating discussions around boardrooms, and calling attention to certain areas of corporate governance like corporate culture and diversity.
The prominence of the cybersecurity issue suggests that it should become embedded in the corporate culture. Corporations can’t function optimally without having healthy electronic networks that keep data secure, internally and externally. Corporations need to emphasize the urgency of cyber risks by being open and transparent in their communications to employees and stakeholders. Communication has to start from the top and works its way down. Staying ahead of cyber threats requires awareness and vigilance about protecting data at every possible juncture of operations.
As cyber threats begin to have a greater impact on our society, board directors are facing many questions, such as whether the definition of diversity means adding a cybersecurity expert to the board. If so, how does a board director with cybersecurity expertise dovetail with internal cybersecurity teams, and what do appropriate boundaries look like?
In the interests of protecting shareholders, governments and regulatory bodies are asking many of the same questions as board directors.
New Focus on Cybersecurity in Industry and Government
Outside of boardrooms, Congress is also having discussions about how to encourage or enforce corporations to take stronger measures to protect shareholders against cyber threats. Senators Susan Collins (ME), Mark Warner (VA) and Jack Reed (RI) introduced S. 536. If passed, the law would require boards of directors to have a cybersecurity expert on their board or explain why not. The bill is in the early stages, and has not moved into committee or the other chamber yet.
The bill may have been prompted by a 2017 report by the Health Care Industry Cybersecurity Task Force, a group that was mandated by Congress. The report recognizes that board directors don’t typically have enough education and information to make quality decisions about cybersecurity. The bill would require health care organizations to provide more information on cybersecurity to board members in order to increase their awareness and understanding of issues that could affect their customers, shareholders and employees.
At the state level, the New York Department of Financial Services issued a new rule in March 2017 that requires banks to take steps to improve cybersecurity measures. The rule requires corporations to name a board chair or senior officer who is responsible for certifying to the state that their cybersecurity programs meet stringent requirements.
Boards Debate Expanding Diversity to Include Cybersecurity Experts as Board Directors
The potential of adding a cybersecurity expert as a member of the board of directors is a hot topic in the corporate world. What would a cybersecurity expert add to board discussions?
Spending is always a big debate among board members as it pertains to cybersecurity. How much is enough? How much is too much? Adding a cybersecurity expert to the board would give the other board members solid direction on the best way to allot spending for cybersecurity. A cybersecurity expert would also have the knowledge and expertise to guide board discussions about how much to spend on the front end for prevention and how much to spend on the back end for managing crises.
Cybersecurity experts on the board have the proper expertise to advise the board about the best tools, processes and resources to keep hackers at bay. In addition, cybersecurity experts are the prime resource people for identifying new developments in IT as technology advances.
Managing risk is more difficult than ever in today’s corporate world because of interconnectivity, which can cause viruses to spread in an instant. Cybersecurity experts can help board directors to know how best to categorize risks and to create comprehensive strategies for protection against attacks.
It’s worth mentioning that bringing a cybersecurity expert onto the board can also bring some unexpected problems. Board directors need to “stay in their lane” when it comes to interfering with management decisions that aren’t related to board work. There is likely to be some overlap between a cybersecurity expert who is a board member and IT teams that report to executives. Boards will need to stay ahead of issues by establishing clear boundaries and responsibilities for the board member/cyber-expert in this new role.
How Boards Can Identify Potential Board Candidates With Cybersecurity Expertise
Boards of directors that are serious about adding a cybersecurity expert to the board shouldn’t hesitate to be the front-runners. Unlike in other professions, such as finance, auditing and law, cybersecurity experts who also have executive-level qualifications are much harder to come by. Potential candidates for the board will be some of the top people in their field. They will understand the key cyber risk metrics that today’s companies are facing now and whatever challenges the future may bring.
Prime candidates will be the creators and innovators of future best practices for cybersecurity. It’s also important to consider that the best candidates may have experienced major failures in other capacities. What’s important is that they learned valuable information from them and can prevent such mistakes from happening for corporations moving forward.
Boards of directors have historically sequestered cybersecurity matters in audit or risk committees. The heart of cybersecurity risks is probing board directors to consider whether cybersecurity should be addressed by a stand-alone committee in order to keep the long-term discussion about cybersecurity going. A board director with cybersecurity experience could serve as the chair of a cybersecurity committee to help educate and inform the greater board as they proceed with higher-level strategic decision-making. A board member with cybersecurity expertise would act as the company’s advocate by communicating complex technological concepts in ways that board members, shareholders and other stakeholders can easily understand.
Final Thoughts About the Future of Cybersecurity Experts on the Board
Cybersecurity is an emerging and pressing issue for boards. Gaining support for evolving issues is never easy, even when it’s an urgent matter of protection, as it is in cybersecurity. A 2015 survey of the New York Stock Exchange Governance Services showed that 66% of respondents weren’t confident that their companies had adequate security for a cyber-attack. Adding a board member with cybersecurity expertise could reduce that percentage dramatically.