CISO Strategy Fulfilling Expected SEC Requirements for Cybersecurity Expertise at the Board Level
In a move aimed at improving cybersecurity and awareness in long-term business strategies within public companies, the U.S. Securities and Exchange Commission (SEC) is expected to introduce a rule requiring the demonstration of cybersecurity expertise at the board level. While the details of the rule have not yet been made public, it is speculated that it will include a requirement for public companies to disclose the level of cybersecurity expertise on their boards.
The Challenge of Achieving Board-Level Cybersecurity Expertise
A study conducted by the CAP Group in February 2023 found that up to 90% of companies in the Russell 3000 lack a single director with the necessary cybersecurity expertise. This raises the question of how board level cybersecurity expertise can be best achieved. One potential solution is to promote the existing Chief Information Security Officer (CISO) to the board, but this would require the CISO to transition from an operational role to a strategic business advisory role.
Another study conducted by IANS Research, Artico Search, and the CAP Group in June 2023 analyzed the readiness of CISOs for board positions among Russell 1000 companies. The study classified 14% of CISOs as ideal candidates, 33% as strong candidates, and 52% as emerging candidates. However, this study does not answer the fundamental questions of whether the CISO should be promoted to the board and whether an operational CISO would make a good board member. The opinion among existing CISOs and other executive leaders on this issue varies.
Exploring Different Approaches
Nicholas McKenzie, CISO at Bugcrowd, argues that simply promoting a “board ready” CISO may not achieve the desired effect. He believes that the ultimate goal should be for the board to have native cybersecurity expertise, enabling them to have meaningful cybersecurity discussions themselves. John Bambenek, principal threat hunter at Netenrich, echoes this sentiment, stating that existing board members should not rely solely on cybersecurity training but should instead recruit retired or semi-retired cybersecurity executives and founders with board skills.
The short tenure of existing CISOs is another practical challenge when considering the promotion of the CISO to the board. According to a survey published by Cybersecurity Ventures in 2022, 45% of CISOs tend to leave their current positions within 18 months. This raises concerns about the ability of a CISO to set long-term board direction.
Increasing General Board-Level Understanding of Cybersecurity
Ram Elboim, CEO at Sygnia, proposes a three-pronged approach to fulfill SEC requirements. The first prong involves adding someone with good cybersecurity knowledge to the board, either by promoting the existing CISO or bringing in a new board member with the relevant expertise. The second prong is to improve the general level of cybersecurity awareness among board members. Elboim suggests that while all board members should be educated on cybersecurity, boards should also bring in tenured expertise to enhance their understanding.
The third prong recommended by Elboim is to conduct periodic tabletop exercises for the board. These exercises would walk board members through various cybersecurity incidents, allowing them to understand how the organization should respond and the steps involved in managing such incidents. Elboim argues that tabletop exercises will raise awareness to a deeper level of understanding.
The Importance of Effective Communication
It is crucial for CISOs to effectively communicate with the board in the language of the business. Public companies attempting to provide cybersecurity training to existing board members need to ensure that their CISO can translate security concerns into relatable terminology and examples. Similarly, it is also important for business leaders to be able to communicate with the CISO in security terms.
Ultimately, the integration between the board and the security function must come from both sides and requires a top-down and bottom-up approach. CISOs should focus on protecting the organization, while boards should work towards understanding and governing cybersecurity effectively.
Conclusion
The precise wording of the SEC rule is yet to be published, but its purpose is clear – to improve cybersecurity and awareness in long-term business strategies within public companies. The challenge lies in finding the best approach to achieve board-level cybersecurity expertise. While promoting the existing CISO to the board is one option, it is important to consider other alternatives, such as recruiting experienced cybersecurity executives and founders, improving general board-level understanding of cybersecurity, and conducting tabletop exercises to raise awareness to a deeper level of understanding.
It is important to keep in mind that one potential consequence of this SEC requirement is that large, well-funded public companies may start to poach highly qualified CISOs from smaller private firms. This could exacerbate the already existing problem of CISO recruitment.
<< photo by cottonbro studio >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Data Breach Down Under: Australian Government Falls Victim to Law Firm Ransomware Attack
- The Rising Threat: Over 100,000 Stolen ChatGPT Account Credentials Sold on Dark Web Marketplaces
- Rogue Android Apps Expose Pakistanis to Sophisticated Espionage Plot
- Securing the Digital Dish: Exploring SaaS Solutions for Global Food Chains
- Securing Tech Savvy Supply Chains: SaaS Solutions for Global Food Chains
- Balancing the Power of Consumer Data: Unveiling the Manufacturing Industry’s Risk-Reward Equation
- The Rise of Ransomware: How a Gang Claimed Responsibility for the Reddit Hack
- The Rising Threat: Analyzing the New Mystic Stealer Malware
- Unlocking the Future: AI-powered Remediation Revolutionizes IaC Security with KICS
