At a typical corporation, the board of directors is a group of people elected to represent the shareholders by establishing management-related policies and making decisions on executive pay and other high-level matters.
You could work for years at a given company and never meet or see a board member. But in the United States, every publicly-traded business is required to have a board. So these people are kind of a big deal.
This brings me to another critical issue: cybersecurity. As security professionals, it’s increasingly important that security topics are discussed in the board room, and that the people there not only grasp what’s at stake, but also take action.
As it stands, we’ve got work to do. A recent survey of over 200 enterprise security professionals conducted by Accenture and HfS Research revealed a number of eye-openers. For example, only 5 percent of respondents’ organizations have a Chief Risk or Trust Officer who reports directly to the CEO or Board of Directors.
The survey also indicated that cybersecurity professionals are increasingly reporting to a Chief Risk Officer (rather than the CIO or CEO), who in turn is reporting to the board.
While this is a sign of “growing security maturity,“ according to the survey, there is still “tremendous dissatisfaction“ among existing reporting lines.
We need to do better than that.
No Such Thing as “Perfect“
Most boards have woken up to the fact that they at least need to know more about cybersecurity, and most have security on their quarterly or annual agendas.
Still, in many cases, the security reporting to the board is assigned to either an audit or a risk committee. And, if security is on the agenda, it might get about 30 minutes in front of the board, based on my experience. That’s not enough time to fully learn and understand the gravity of the issue.
There are political complications: Management is sometimes wary about pulling the Chief Information Security Officer into the boardroom, leaving the topic to be covered by the CIO or CRO, who might be inclined to water things down or paint a rosier picture than actually exists.
I like to tell boards one thing: There’s no such thing as perfect cybersecurity. It’s a moving target, an evolving entity that must be constantly monitored and tuned. Breaches can happen anywhere and everywhere.
Call to action
The CISO really needs to be in the boardroom, or at least with the audit committee, with enough time to discuss the real cyber risks affecting the company‘s data “crown jewels“ and the impact on regulation, customer retention and brand. Communication skills matter, too: The CISO has to coherently and effectively translate cyber-speak into business risk.
If a breach does happen, you must be prepared to respond appropriately. And nothing can help more than some outside sets of eyes, and perhaps some outside voices who may not tell the board exactly what it wants to hear.
What we’re talking about isn’t anything like the usual boardroom scuffles you read about in the financial media. But it’s a battle worth fighting, because the “enemies“ in this case are exceptionally hostile and can wreak havoc on share prices and anything else of value.
It’s time to transform the way we think about security.