Forcing Security Expertise on Boards is Not the Answer, Here's What Is

Written by

How often do we hear about the need for businesses to add cybersecurity experts to their corporate boards? When you look at the growth in threats, the increasing sophistication and the impact these attacks can have on a business, it’s only natural that companies want to have experienced cybersecurity representation at that level. But if you expect this to mitigate the next threat or guide the business to a quick recovery, you’re in a world of hurt.

A business’s best action is not to force security expertise on boards and assume it will improve their organization's security. In the best-case scenario, it makes everyone feel better because there is more board-level expertise than there was previously. However, it will not have any impact on the organization’s ability to actively manage and eliminate risk. That’s because security experience for boards varies widely and rarely includes anyone who has operational experience. 

There are many reasons why this is the case. Here are three that are top of mind.

Board of Directors Level Cybersecurity Experience is Lacking

At the board level, the degree of understanding of cybersecurity could be much improved. According to the Wall Street Journal, only 2.3% of directors on the boards of S&P 500 companies have cybersecurity experience. Even then, some board members viewed as security experts have invested in cybersecurity companies and had great success. But here’s a practical question—have they ever run security in an organization? I’m willing to wager that very few have.

This is the harsh reality of a relatively nascent industry—not many eligible board-certified security experts are available because the industry is still in its early years. Especially when compared to other disciplines. If you want board members to be effective and impactful, they must be able to contribute beyond a narrowly focused discipline. Their views and limited experience could be helpful, but ultimately, they are taking up a valuable board seat that may not have the impact the company needs to be successful.

The Big Picture

Even if you magically find the right board member, this could be an area of influence. The CISO needs to be able to understand the threats, vulnerabilities, and mitigation tactics and how that applies to business risk. A board level person with experience in this area can help translate these messages and details into language that the rest of the board can understand. Even still, there will still be challenges using this one ally to secure greater influence across the company, especially when there are other priorities happening.

The CISO’s Reality

The last reality is that whether or not CISOs have an ally at the board level, their day-to-day responsibilities don’t change. Their role is to identify the most prominent risks the organization will face and influence others in all directions on the best way to prevent or remediate that risk.

“For many years, CISOs have been calling for the board’s attention.”

If having cybersecurity expertise at the board level is not the answer, what is? A more effective approach is to uplevel CISOs and engrain them further in the business. This means that rather than trying to add cybersecurity experience to the board, first create space at the table for your most qualified candidate, the CISO. Next, give them a regular opportunity to discuss the organization's security state and associated controls in place. This is a shift that many businesses have already taken. What may be missing is the business accepting the risk or committing to remediate gaps that the CISO is identifying.

I realize this comes with significant irony. For many years, CISOs have been calling for the board’s attention, and now it’s the board that may be the one bringing the two sides together. Either way, the result is that CISOs are communicating with the board now more than ever.

According to Splunk’s new 2023 CISO Report, “Numerous CISOs across many industries report regular participation in board meetings, including technology (100%), government (100%), communications and media (94%), healthcare (88%) and manufacturing (86%).” That’s great news.

The key is getting the business to commit to or accept there is a need to remediate security risks. This takes on added importance in light of recent news that the SEC is charging SolarWinds CISO for a failure to disclose cybersecurity issues before their historic breach. But CISOs cannot do this in a vacuum. They must be given the platform to provide board members with detailed updates on the business's cyber posture, potential risks, emerging regulations, compliance concerns, and how they are being addressed. To be effective, this platform must lead to buy-in from the C-Level to drive the security outcomes across the business.

When CISOs succeed at the board table, they not only avoid front page news, they may see a boost in their budgets. The same Splunk CISO report also found that “93 percent of respondent CISOs expect an increase in their cybersecurity budget over the next year.” Once again, that’s excellent news. CISOs must remember that, while their budget may grow, it’s impractical for their organization to invest in every security solution on the wish list.

Even when CISOs have a place at the table, trade-offs must be made. CISOs should have the technical and business experience to understand and articulate those risks to leadership in a way that a non-technical audience can understand. While difficult and likely not a skill that was part of the initial job description, it’s the role a CISO needs to play to be effective. 

Boards must become far more informed and involved in a company’s cybersecurity efforts. This includes potential threats as well as the key initiatives in place. However, this does not require an influx of board members with deep cybersecurity backgrounds and expertise. The more realistic and effective approach is to give CISOs a voice at the table.

What’s hot on Infosecurity Magazine?