If the board fails on cybersecurity, the company will fail.
Getty
American companies have chronic problems with cybersecurity.
The problem has now reached its fourth stage, escalating out of control with a massive coordinated cybersecurity incident by CrowdStrike that was not even caused by a cyberattack.
As we reach the midpoint of the summer of 2024 and the intense fallout from the UnitedHealth Group and CrowdStrike cyber incidents have redefined what is truly at stake and just how vulnerable America’s complex digital business systems are, I look forward to the summer of 2023 and the lukewarm waters of the MGM and Caesars cybersecurity incidents.
But why are America’s cybersecurity problems not only not being solved, but are getting worse?
It’s as if we are focusing on the symptoms rather than the cure, and America’s cybersecurity ills are caused by a massive failure of leadership in corporate boardrooms.
As long as the disease is not addressed, the symptoms will continue, but there are those who don’t believe board leadership on cybersecurity is important and will work to keep it as weak as it is.
But effective board cybersecurity leadership is critical and makes a difference. When board leadership issues in cybersecurity are resolved, all other cybersecurity controls are strengthened. This is its superpower. Cyber resilience can only be built and maintained with effective board cybersecurity leadership. Cybertone at the top, cybersecurity culture…etc etc…it’s all noise until board cybersecurity leadership and expertise is in place.
Hugh Thompson, chairman of the RSA Conference, the world’s largest cybersecurity conference, says CEOs should demand more cybersecurity expertise on their boards: “CEOs not only want and need someone in a governance role behind them as part of the narrative, they need to provide themselves with as many tools as possible.”
And that is exactly what the board of directors is. The board is literally the control of the cybersecurity system, and without cybersecurity expertise on the board, it is a weak control that leaves the CEO on his or her own. They say leadership is important, but when it comes to cybersecurity, board leadership is often lacking.
The CrowdStrike incident is a shocking and eye-opening event for many company and board leaders, but it shouldn’t be. But it’s because company directors who bring only a general concept of risk to the boardroom don’t understand the specific and unique aspects of risk inherent in complex digital business systems. Specific risk paradigms are being misused to create this type of persistent and growing confusion that cannot be understood with the old approach and mindset often heard in the corporate governance community that cybersecurity is like all other risks. Risk is situational and very often requires deep domain expertise to understand and mitigate each situation.
Part of the problem is that boards and business leaders have been misrepresented by regulators and others that risk is some kind of universal concept and that directors do not need cybersecurity expertise to effectively manage risk. The SEC continues to communicate this to boards and business leaders in its cybersecurity disclosure rules finalized in 2023, stating:
“We believe that effective cybersecurity processes are primarily designed and managed at the executive level, and that directors with broad skills in risk management and strategy often provide effective oversight of management’s efforts, even if they lack specific subject matter expertise…”
Persuaded? By whom? And by “often,” I mean far from always.
Hackers certainly have a vested interest in keeping board governance ineffective on these issues, but who else has a vested interest?
If you look at the comment letters submitted to the SEC, you will see that there was a coordinated campaign against the proposed rule that would have required boards to disclose if they have directors with cyber expertise. The group opposed to this common-sense, simple disclosure rule is primarily made up of the Corporate Governance Institute, the American Bar Association, several law firms, a large group of industry/trade associations that mirror the views of the U.S. Chamber of Commerce, and, inexplicably, one of the largest IT and cybersecurity companies in the world.
The arguments presented were without evidence but were intended to create a great deal of fear, uncertainty and doubt.
Notably, the group that voted in favor of creating simple disclosure rules regarding directors’ cybersecurity expertise was made up of several prominent cybersecurity associations, institutional investors, several U.S. Senators, the accounting professional association AICPA, academic research, and several cybersecurity industry software leaders, including CrowdStrike.
The SEC caved to the opposition, but should have been smarter, given the precedent that it had to force financial expertise on boards of directors in 2002 through Sarbanes-Oxley reforms to strengthen the board’s role as steward in financial reporting. And it worked.
In the words of Warren Buffett, “Risk comes from not knowing what you’re doing.” Many boards don’t know what they’re doing when it comes to cybersecurity. Having a director with cybersecurity expertise on your board changes that immediately, resulting in a stronger cybersecurity system overall. Effective leadership makes that happen.
Notably, the FOR camp actually brought receipts with empirical evidence to back up their position. The Virginia Tech study uncovered the following positive and negative business impacts related to boardroom issues of director cyber expertise:
Lack of cybersecurity expertise on board members leads to superficial, check-box oversight.
Boards without cybersecurity expertise rely too heavily on CISOs, resulting in a circular oversight environment that lacks independence and even a tendency for CISOs to downplay problematic matters.
· The Director’s cybersecurity expertise will increase the CISO’s effectiveness with the entire board and C-suite executives.
Cybersecurity expertise on the board enables directors to provide proactive, value-added oversight of cybersecurity risks that would not be possible without that expertise.
Fortunately, this problem can be easily and quickly solved by adding a director with cybersecurity expertise to your board of directors. Strengthening your board of directors as a cybersecurity control and significantly improving the overall cybersecurity system would cost an S&P 500 company approximately $350,000 per year, roughly the same as the annual cost of a corporate director, and even less for smaller companies. Adding director cybersecurity expertise to your board of directors is not only a common sense cybersecurity control, it is a control with a very high ROI to implement in cybersecurity.
Hugh Thompson of RSAC said cybersecurity expertise among directors is both a supply and demand issue, and also commented on how cybersecurity leaders are undervalued in terms of their ability to contribute to the board as company directors: “Their skills are deep and they translate very effectively to the boardroom; their versatility, they naturally bring teams together well, they’re influential and they’re quick learners.” With 40,000 cybersecurity professionals attending RSAC every year, he should know that well.
The cybersecurity industry does not have a leadership problem. We have a lack of cybersecurity leadership in our boardrooms. If America wants to solve its chronic cybersecurity ills, we need cybersecurity leadership in our boardrooms.