As evidenced by recent communications from the SEC, corporate boards are increasingly being held ultimately responsible for cybersecurity. While managing cybersecurity risk is the responsibility of the CEO (who typically delegates much of the day-to-day management to someone like the CISO), overseeing its management is the responsibility of the board of directors.
Yet despite decades of daily news reports of cyber attacks wreaking havoc, corporate boards of directors often don’t function as well as they should or intended when it comes to overseeing the mitigation of cyber risk. It’s not hard to understand why this problem exists. Cybersecurity is a relatively new addition to the list of major risks facing businesses, and cyber risk evolves much faster than other “classic” forms of risk, such as those related to accounting, legal, or physical hazards. The business world has far less collective experience managing cyber risk than other forms of risk, and even less wisdom from previous generations to draw on when actually overseeing the management of such risk.
Of course, boards are not ignoring cybersecurity. On the contrary, generally speaking, today's directors are well aware of the importance of cybersecurity and are highly committed to ensuring that their respective executives can adequately mitigate cyber risks. Boards not only regularly pay homage to cyber risks, they also back up the lip service by encouraging senior management to allocate steadily increasing budgets to defending against cyber risks.
But as the saying goes, “the road to hell is paved with good intentions.” While boards certainly want to do their part to oversee the management of cyber risks, the sad reality is that boards often fall short in their mission in this regard. This is primarily because many boards do not have enough relevant knowledge, experience, and skills to understand how to meaningfully fulfill their role with respect to cybersecurity. This phenomenon also creates dangers. In some cases, inappropriate board actions could even harm rather than improve an organization’s cybersecurity.
In some cases, boards that are underrepresented with people with relevant cybersecurity backgrounds can survive for long periods of time without suffering from problems due to their deficiencies. In fact, organizations with such boards may even boast that they have invested heavily in their information security programs. But ultimately, once some cybersecurity “incident” occurs, the false sense of security quickly crumbles, and it becomes clear that the investment was made in a far from optimal way, and many The barrier to cyberattacks you thought was the equivalent of a fortress wall turns out to be more like Swiss cheese.
Sometimes, cybersecurity-related discussions in the boardroom seem promising, but in reality they are unproductive sessions where directors try to do some of the CISO's work, instead of focusing on the CISO's responsibility to oversee cyber risk management. Sometimes important issues are raised, but directors don't realize that important issues remain unresolved because they believe they understand the issues under discussion better than they actually do. Other times, they don't have enough experience to understand the issues under discussion. At one board meeting, a director even joked that he needed an interpreter to understand the CISO's presentation.
As fiduciaries, boards of directors are responsible for ensuring that their respective management teams have implemented appropriate planning to ensure that their respective businesses can recover appropriately in the event of a cyberattack (which will inevitably occur over time) and that any remaining attacks are limited to known, acceptable and manageable levels of risk. As a result, cybersecurity risk is becoming a critical component of the internal audit function. However, because cybersecurity is a relatively new field, many organizations use KPIs to plan for and measure cybersecurity-related issues. While these KPIs may sound to accountants and lawyers as appropriate and effective measures for evaluating success, in reality they are poorly chosen and seriously flawed.
Board members hear and accept at face value reports of cybersecurity success based on criteria that not only make no sense but are often misleading. I have stories of organizations that measured the number of breaches per quarter without knowing how many attacks were occurring in the first place, without understanding the relative potential damage of different breaches, and ignoring the fact that: How many times have you heard that? Are the most harmful breaches likely to be those that go undetected and therefore unreported?
In that regard, it is important to understand that the board’s task is to monitor risk – to ensure that senior management has the appropriate risk management plans in place – not to actually manage risk. However, when it comes to cyber risk, it is not uncommon to see board members spend a significant amount of time discussing cybersecurity issues that the CISO should address, outside of their focus area, while failing to discuss key elements that actually need to be covered.
I've seen board meetings get derailed when directors get unnecessarily involved in detailed discussions of the results of a recent company-wide phishing simulation. Instead of focusing on how well the company can withstand phishing attacks (or any form of cyberattack), the person responsible for overseeing cyber risk management spent considerable time and effort speculating about why employees in certain departments are better than others at not falling victim to spoofed emails. The board needs to understand how well the company can withstand an attack, not whether 27% or 28% of employees need to take a training class.
So while it's crucial that your board has members with cybersecurity experience, you need to take the time to ensure they have the right kind of cybersecurity experience. Adding someone to your board simply because they've worked in the cybersecurity field can land you in a problematic situation and ultimately lead to nasty surprises.
Rare knowledge
Newsweek is committed to challenging conventional wisdom, seeking common ground and finding connections.
Newsweek is committed to challenging conventional wisdom, seeking common ground and finding connections.
