It is accepted wisdom that cyber risk is a business risk that needs governance at the highest levels of an organization. Regulators are focusing on cyber expertise at the board level, recognizing the need to govern cyber as a business risk. In March 2022, for example, the Securities and Exchange Commission (SEC) issued a proposed rule that requires boards to disclose the cybersecurity expertise of their directors. This is a good start, but not sufficient: the problem isn’t solely a lack of expertise among board members, but a serious lack of effective cyber risk communication to those business leaders. If regulators start to scrutinize expertise, they should expand their focus beyond the board, to include how risk is communicated effectively to the board and the rest of the business. Efforts to incentivize chief information security officers (CISOs) to communicate more effectively to business partners will do more to manage risk than appointing a “cyber expert” to the board.
The SEC’s rule, titled “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” focuses on how public corporations manage cyber risk among other things. It will require of public companies listed in the United States “periodic disclosures about … the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk.” The proposed rule will not define “cybersecurity expertise” but does include some criteria to consider, including prior work experience, certifications, or knowledge, skills, or other background in cybersecurity. Similarly, in November 2022 the New York Department of Financial Services proposed a rule mandating its regulated entities’ boards either have, or be advised by, “persons with sufficient expertise and knowledge” to oversee effective cyber risk management.
It is not the case that all boards actually need a cybersecurity expert on them. The implication of the proposed rules is that cyber is such a unique operational risk - albeit one of many that any given corporation faces—that companies should dedicate an entire board seat to someone who can manage this esoteric concern. There has been no real study of the proportion of senior cybersecurity experts with board-level communication skills, but it is a safe guess to make that there are more public boards than there are cybersecurity experts available to sit on them. Moreover, this is a top-down fix to a bottom-up problem. If more CISOs knew how to communicate cyber risk to a board, there would not be such a need to have a specialist interpret what the CISO is telling them.
Cybersecurity is not the only expertise that regulators scrutinize at the highest levels. The SEC mandates boards have expertise to read a financial statement, oversee a company’s strategy, have committees for audit, nominations, compensation and governance, and—in the case of financial institutions—a risk committee. Thus, c-suites have a Chief Executive/Financial/Risk Officer, internal audit, general counsel, and human resources officers as the principal managers for these portfolios. But few, if any, corporations have a CISO in their c-suite. It is a curious development that regulators are scrutinizing boards for expertise on a portfolio that is principally managed two or more layers down in the company. Why does this matter? Because for all the diverse skills and portfolios in the average c-suite, they all have one common skill: they know how to explain what they do to a board, in terms and concepts that the board can use to do its job. This needs to become a minimum required skill of a CISO as well.
To be sure, there are many CISOs who do have these skills, and communicate regularly and effectively with their boards. The problem is not organizational, and this is not an argument that CISOs should report to the CEO. There are other reasons for a communications gap between board directors and cybersecurity professionals, some of them simply cultural. Cybersecurity is a relatively young field (compared to marketing, finance, and operations), and only recently has it begun to be properly treated as a business risk issue rather than an engineering or compliance problem (hence, the new regulatory focus on governance). Unlike other executives, a CISO likely didn’t “come up” through the business line and thus must develop an expert understanding of how the company makes money. Without this knowledge, it would indeed be difficult for a CISO to convey their priorities and concerns in business language.
Rather than requiring boards to spend a precious seat on a specific, albeit important, operational risk, companies should create incentives to train cybersecurity experts early on in executive risk communication, and provide better education in and tools for describing cyber risk in terms more familiar to a board director (e.g., financial, legal, regulatory, and reputational liabilities, rather than technical or operational metrics). Companies should be encouraged to scrutinize this skill set and experience as they search for a CISO. Also, firms need to focus on improving how, and how often, the board communicates with the CISO and vice versa. The corollary to this is making sure that CISOs have adequate independence, authority, and ability to influence the company (something else that regulators are scrutinizing more closely). Finally, boards could use some cybersecurity literacy in the same way they’re expected to understand the basics of risk management in any of the cost centers such as legal, human resources, operations, or information technology—but that is a topic for the next article. Cybersecurity isn’t magic; done right, it should be as workaday and priceable as any of the other major board responsibility areas.
This article is the first in a two-part series.
Tarah Wheeler is the Senior Fellow for Global Cyber Policy at the Council on Foreign Relations and the CEO of cybersecurity company Red Queen Dynamics.
Neal Pollard is a member of the Council on Foreign Relations, adjunct professor at Columbia University, and a former CISO.