Corporate America is facing a cybersecurity crisis that’s not just about daily hacks and data breaches — it’s also about leadership — or, more accurately, a lack of it in corporate boardrooms.
This apparent leadership issue has been brought into the spotlight by recent cybersecurity incidents at companies such as UnitedHealth Group and CrowdStrike, which not only highlighted the vulnerabilities of America’s digital business systems but also sparked important discussions about the role of leadership in managing cybersecurity risk.
As we move forward in 2024, comparisons to past cybersecurity incidents like those at MGM and Caesars remind us of an uncomfortable truth: America’s cybersecurity problems aren’t just lingering. They’re getting worse. And this worsening is not due to a lack of technological solutions, but a serious leadership gap at the highest levels of corporate governance.
Cybersecurity is not an issue that can be addressed with software updates and firewalls. It is a strategic issue that requires a culture change that starts at the top – in the boardroom. Despite the importance of cybersecurity, many boardrooms are reluctant to prioritize cybersecurity expertise. This oversight leaves companies vulnerable and, as recent incidents have shown, can lead to disastrous consequences.
The role of the board of directors in cybersecurity is not symbolic. The board is as functional and critical as any security management within an enterprise. Without a board of directors with deep expertise, companies are left with generic risk management strategies that fail to address the unique challenges posed by today’s digital threats. The result is often superficial oversight that fails to challenge or improve on the strategies proposed by the Chief Information Security Officer (CISO).
RSA Conference Chair Hugh Thompson highlighted the urgency of a shift in board strategy on cybersecurity, emphasizing the need for CEOs to seek directors with cybersecurity expertise – not just about having technology experts on the board, but embedding cybersecurity in the board governance structure.
Despite the clear need for change, there has been resistance. Recent efforts by the SEC to require disclosure of cybersecurity expertise on boards of directors have met with significant opposition from a range of corporate governance bodies and industry groups. This resistance was driven primarily by fear, uncertainty and doubt, rather than empirical evidence.
But the case for having cybersecurity expertise on the board is backed up by ample research and data: Studies from Virginia Tech and others have found that a board with cybersecurity expertise can significantly increase the effectiveness of a CISO and contribute to more proactive oversight of risks.
It’s time to reevaluate how cybersecurity is managed in corporate America. Adding additional directors with specific expertise can transform the entire ecosystem, strengthening defenses and creating a culture that prioritizes robust practices. The cost of such an effort is minimal compared to the potential losses from a cybersecurity incident.
The cybersecurity industry itself is not lacking in leaders; rather, it is the boardroom that is failing to harness this expertise. For the United States to overcome its cybersecurity challenges, technological solutions alone will not be enough; we must revolutionize how we integrate cybersecurity leadership into the highest levels of corporate governance.
Jordan French is the Founder and Editor-in-Chief of Grit Daily Group, which includes Financial Tech Times, Smartech Daily, Transit Tomorrow, BlockTelegraph, Meditech Today, High Net Worth magazine, Luxury Miami magazine, CEO Official magazine, Luxury LA magazine and the flagship store Grit Daily. A champion of live journalism, Grit Daily’s team includes alumni from ABC, CBS, CNN, Entrepreneur, Fast Company, Forbes, Fox, PopSugar, SF Chronicle, VentureBeat, Verge, Vice and Vox. An award-winning journalist, he is a staff editor at TheStreet.com and a Fast 50 and Inc. 500 entrepreneur with one sale under his belt. A former engineer and intellectual property lawyer, his third company, BeeHex, rose to fame with “3D printed pizza for astronauts” and is now a military contractor. He is a prolific investor, having invested in over 50 early-stage startups by 2023, with over 10 having exited.