Boardroom CISO. PHOTO: Cybercrime Magazine.

The New C-Level Players: The Value Cyber Experts Add to the Board

The Broken Communication Line Between CISOs and Board Executives

Gily Netzer

New York, N.Y. – Apr. 6, 2020

Every executive team — regardless of company size — cares about business risk.  Executive teams and their boards must be continually aware of the latest cybersecurity threats, because the impact of a data breach is company-wide, ranging from business disruption, direct financial loss, and impairment of customer trust and brand reputation. Cyber incidents can have a direct impact on company valuations. In an NYSE Governance survey, 4 percent of respondents would not consider acquiring a company that has recently suffered from a high profile data breach, or at significantly lower valuation.

Cybersecurity isn’t simply a “technology or compliance issue.” It’s a matter of protecting the entire business from cybercriminals who are committed to stealing or destroying valuable assets for a profit. Significant issues lie in the lack of communication and transparency between CISOs and board executives, resulting in cyber weaknesses going undetected or worse, untreated as board members place inadequate priority and budget allocation on the cybersecurity landscape.

The SEC Steps Up Its Cybersecurity Regulations and Compliance Policies Against Breaches

The SEC began requiring companies to disclose data breaches and “material cybersecurity risks” in order to better protect investors. This includes informing the organization’s directors, officers, and other key individuals about risks that the company faces or is likely to face. Known risks or uncertainties must be disclosed, and in addition, an estimated cost of contingent liabilities must be disclosed on the company’s balance sheet.

In Jan 2020, the SEC’s Office of Compliance Inspections and Examinations issued examination observations related to cybersecurity and operational resiliency practices taken by market participants. The OCIE placed a considerable amount of emphasis on securing the perimeter — detailing the capabilities of various security controls and technologies. In contrast, Secplicity predicts that 25 percent of All Breaches Will Happen Outside the Perimeter in 2020 alone. And the OCIE themselves released a threat alert related to storing customer records and information in network and cloud based storage. Security professionals have the daunting task of bridging the language gap between the highly technical subject matter and the business language of the board.

The Price Companies Pay for Breaches Due to Miscommunication with CISOs

Executive teams and board of director members of Home Depot, Wyndham, Capital One, and a score of other big names were targeted by lawsuits when their organizations were breached, with major penalties and severe reputation damages.

The total cost for data breaches in 2019 was $3.9 million with an average time of 279 days to identify and contain a breach. Facebook proved it too wasn’t immune. In 2019, the social networking giant was hit with a record-breaking $5 billion penalty from the FTC over the Cambridge Analytica data breach incident, which remains the largest penalty ever imposed by the Federal Trade Commission to date.

Yet, despite knowing how critical the role of a C-level security expert is, only 40 percent of organizations report having a CSO/CISO.  In many organizations, the CISO or CSO role was originally created in the IT department, and in many organizations, they still report to IT management instead of directly to the CEO, CIO, or CTO.

 Because cybersecurity has not been a primary focus for many boards, there is an overall lack of awareness about cybersecurity threats, controls, or posture. As a result, many organizations often make security decisions based on incorrect or unknown assumptions with a little to no effect.

Companies don’t have the right processes in place to inspect third-party agreements from a security perspective, and they often lack leaders who understand security regulations and how an attack affects customers, providers, vendors, and shareholders, leading to internal friction between cyber teams and company executives.

Helping Boards Reframe Their Cybersecurity Understanding

The best protection against lawsuits is to have strong corporate governance policies for the board to follow. Board members should receive regular briefings on cyber threats facing the organization, the state of its security controls, and the risks associated with each.

The board also should ensure that members are familiar with — and have deliberately considered — the organization’s approach to threat detection, incident response, mitigation processes, and emergency contingency plans in the event of a breach.

In the 2019 Governance Outlook: Projections on Emerging Board Matters, the NACD reported that 70 percent of public company directors said they need to better understand the risks and opportunities affecting company performance. This leaves a large gap that must be addressed between the relationship of CISOs and company directors.

Effective cybersecurity programs start with the right tone at the top, with senior leaders who are committed to improving their organization’s cyber posture devoting appropriate board and senior leadership attention to setting the strategy of and overseeing the organization’s cybersecurity and resiliency programs.

CISOs play an integral role in relaying security threats to executives and board directors. Their role is twofold in that they can easily translate complex technical concepts and create a detailed security plan to ensure resilience in the case of a breach. Once the board has a better understanding of the security threats in a more familiar business language, they will be a lot more likely inclined to allocate additional funding into the cybersecurity budget plan.

The Path Forward: Involving CISOs and CSOs in Bigger Roles

It is in the best interests of an organization to continually assess their controls across all attack vectors and gain risk metrics for optimizing security posture and measuring improvements.

There are security solutions that are constantly updated with immediate threat data, enabling organizations to automatically test controls, mitigate as needed, and provide the board with executive-level reports that reflect the improved security posture.

Give your board the awareness, insight, and tools they need for making informed cybersecurity decisions. Improving the trust factor and communication levels between CISOs and the executive committee can literally mean the difference between a multimillion-dollar breach lawsuit and the reputation of your company.

Gily Netzer is CMO at Cymulate