Tommi - Fotolia
Want a board-level cybersecurity expert? They're hard to find
Members of the board must be ready to defend their fiduciary decisions, corporate policies, compliance actions and, soon, cybersecurity preparedness.
Pity the corporate board. Not that long ago, many boards of directors had a relatively sleepy existence, proffering guidance from time to time, but actually taking action only in the rarest of circumstances.
Nowadays, boards must be ready to defend their fiduciary decisions, corporate policies, compliance actions and, perhaps soon, even cybersecurity preparedness. According to experts, a growing number of companies are seeking cyber-savvy board members; but it's still far from a majority.
However, in an effort to ensure greater cybersecurity preparedness, U.S. Sen. Jack Reed (D-R.I.) and Susan Collins (R-Maine) introduced the Cybersecurity Disclosure Act of 2015 to Congress in December 2015. Designed to promote transparency, the proposed bill -- S. 2410 -- would require publicly traded U.S. companies to have at least one cybersecurity expert on their boards.
At this point, the Cybersecurity Disclosure Act is still far from becoming the law, but the fact that Congress has taken notice of the matter underscores how seriously the cyberthreat is regarded.
At the leading edge
"I have noticed much more interest in the [cybersecurity] area from the boards of directors for both for-profit and nonprofit entities," said Braden Perry, a regulatory and government investigations attorney with Kansas City, Mo., law firm Kennyhertz Perry.
The major driver for the change is the genuine disconnect between business and IT.
"Many boards are filled with very sophisticated business people who are not sophisticated in areas of information technology and security. Information security has become a real issue and a void most boards have," Perry said. As a result, boards are becoming more active in searching for individuals that can guide the company on security issues.
When organizations have added a board-level cybersecurity expert, it's often a CIO who has had the visibility and mindshare around information security.
"This is definitely a request I'm seeing more [of]," said Alex Pezold, co-founder and CEO of TokenEx, a data security provider in Oklahoma City that helps organizations with PCI compliance. The effort to increase cybersecurity knowledge among board members is often tied to regulatory concerns.
"Every organization has computers, networks and digital assets that need to be protected," said Eric Cole, faculty fellow at the SANS Institute and founder and chief scientist at Secure Anchor Consulting in Reston, Va. All boards of directors must have someone who truly understands the exposures and can interpret technical information and ask the correct questions, he maintained. "In my opinion, if an organization does not have strategic cyber expertise on the board, the board should be sued for malpractice."
Recent appointments
Some companies are taking the plunge and appointing highly regarded information security executives to their corporate boards. In August, retailer Sally Beauty Holdings Inc. appointed Erin Nealy Cox to independent director on the audit committee of the board of directors. Cox was previously the executive managing director in charge of the global incident response business unit at Stroz Friedberg, a global cybersecurity, digital risk management and investigations firm. The appointment followed a series of breaches at the beauty retailer in 2015 and 2014, which exposed customers' credit card data.
The board of Huntington Bancshares Inc. in Columbus, Ohio, elected Chris Inglis, the former deputy director of the National Security Agency.
"Chris' deep expertise in cybersecurity and extraordinary career as a highly regarded leader will significantly strengthen Huntington's governance at a time when our industry faces rising critical challenges from cyberattacks," stated chairman, president and CEO of Huntington, Stephen D. Steinour, at the time of the announcement in May.
Personal data of some 4,000 employees participating in Huntington's wellness program was exposed in 2014. The program administrator, StayWell Management, alerted the Midwestern banking company that a former vendor had been hacked.
A series of surveys from Osterman Research Inc., sponsored by Bay Dynamics, put some concrete numbers to the challenge. According to the August 2016 report, "What's Driving Boards of Directors to Make Cyber Security a Top Priority?," corporate boards today do not possess widespread expertise about cybersecurity issues. Some 21% of 126 respondents -- who actively served on boards at U.S. companies with 2,000 or more employees -- indicated that their members have no expertise in these issues, and another 63% have only "some" expertise. The research further revealed that only 1% of board members possess "a great deal" of expertise about cybersecurity issues.
Eric ColeSANS faculty fellow and founder and chief scientist at Secure Anchor Consulting
The lack of expertise among board members amplifies the existing divide, with IT and security executives on one side and the board on the other. The researchers found that 30% of board members did not understand everything they were being told by the IT and security executives about the organization's cybersecurity posture, and 54% of board members agreed or strongly agreed that the data they receive from IT and security is too technical. Three out of five board members said they believe that one or more of their fellow board members should be a CISO or some other type of cybersecurity expert, according to Osterman Research.
However, Jeremy Bergsman, IT practice leader at CEB, a consultancy based in Arlington, Va., said "there aren't that many CISOs qualified to be on a corporate board."
Better awareness
Board membership is usually predicated on extensive business and leadership experience.
"There aren't even that many CIOs on boards," Bergsman added. Instead of trying to find a board-level cybersecurity expert -- which may not be possible -- it would be better to strengthen the board's grasp of cyber issues by other means.
"While cyber is in the news a lot today, it is by no means the largest risk that boards must manage, which is why boards need that broad perspective," Bergsman said. If there is a major risk on the technology side of the house, it is related to the broader topic of digitization. "Companies that are too slow to react may not survive," he said.
Bergsman, who participates in a CISO organization with hundreds of members, has raised the question of enhancing cybersecurity awareness for boards of directors in the past. The consensus among his colleagues is that boards are getting information, but they "just don't get it."
"As it stands now, what they really need is someone to interpret for them," Bergsman said. If that's not possible, there are several practices that can improve the board's understanding and effectiveness. CISOs typically report to boards quarterly, and they cover multiple subjects. Unfortunately, they tend to approach each subject a little differently, making it hard for board members to grasp concepts and connect the different topics meaningfully. In other words, they need an apples-to-apples discussion.
"About 70% of the companies I work with now try to explain everything in terms of the NIST [National Institute of Standards and Technology] Cybersecurity Framework," Bergsman said. This greatly improves the board's ability to understand and weigh the full range of security information, and it leads to better questions when they need more information.
On the board
Security experts who actually serve on boards, such as Jonathan Gossels, echo many of these observations and offer a few of their own. While technically and legally the directors represent the interests of the shareholders, the vast majority of companies are closely held, so the shareholders are mostly part the management team, a few angel investors and friends and family. "This is the case even for many companies in the $50 million to $500 million revenue range," said Gossels, president and CEO of SystemExperts Corp., an IT security and compliance firm in Sudbury, Mass.
Just as "only your friend can tell you that you have bad breath, our job is to say 'no' to bad ideas or to push for needed controls," he said. As far as cybersecurity goes, Gossels' role has been to slowly educate management and the other directors about compliance, from minimum levels to "aspirational" requirements. "It takes time to bake cybersecurity thinking into the fabric of an organization," he added.
Unless there's been a widely publicized breach, many boards do not focus on cybersecurity preparedness or view requirements, outside of regulations, as major corporate risks.
"As an executive, company advisor and former board member in tech-based companies, I have seen both boards and executive teams take proactive steps to add board members with risk-management experience over the past decade," said Brian Reed, chief marketing officer of social media security company ZeroFOX, based in Baltimore.
However, Reed said he does not see companies adding board members specifically with cybersecurity or cyber-risk experience. "For those organizations that are concerned with cyber-risk, there is a growing mandate from boards into executive management teams to address these risks and report regularly to the board," he said.
"In reality, your cybersecurity experts should be in operations for the minute to minute information technology challenges a company faces, with periodic reports to the audit committee and full board when appropriate," said John T. Montford, co-author of the new book Board Games: Straight Talk for New Directors and Good Governance. If the board is nervous about the cybersecurity advice and information it is getting, which today is generally the case, Montford said, then the audit committee should hire an outside cybersecurity expert for, hopefully, a well-grounded second opinion.
Secure Anchor's Cole holds a different view: The CISO or CSO is in a conflict of interest situation, "potentially representing data in a positive way to protect their job," and necessarily biased. "There definitely needs to be a CISO or CSO managing the overall security," Cole said. "But there must also be an independent person on the board that understands security."