The SEC‘s Evolving Stance on Cybersecurity Expertise
The Proposal and Backtracking
The US Security and Exchange Commission (SEC) has recently examined the issue of cybersecurity expertise within companies. In March 2022, the SEC proposed a requirement for companies to publicly declare one cybersecurity expert on their board of directors and one within management. However, the SEC has since backed off the requirement for a board cybersecurity expert’s credentials, while still expecting companies to describe the board’s oversight of cybersecurity risks and management’s role in assessing and managing those risks.
Defining Expertise
One of the major challenges in implementing this requirement is defining what constitutes cybersecurity expertise. The SEC intentionally did not provide a specific definition, instead leaving it to each company to determine what qualifications and experiences qualify as expertise in their specific context. The SEC did offer some suggestions, including certifications, academic degrees, and work experience. However, experts acknowledge that this is a difficult question with no clear answer.
Andrew Morrison, a principal at Deloitte Risk & Financial Advisory, argues that the lack of a clear definition is not unusual for SEC disclosure requirements. For example, financial expertise is also not explicitly defined but is required for directors who serve on the audit committee. Morrison suggests that the market will ultimately decide what credentials are seen as sufficient for cybersecurity expertise.
Market Forces and Competition
The SEC‘s approach to cybersecurity expertise is expected to rely on market forces and promote healthy competition among companies. If a company experiences a damaging data breach, shareholders and investors may respond by lowering the stock price if they deem the cybersecurity credentials to be insufficient. Similarly, companies may reassess the credentials they initially approved if their competitors in the same industry segment produce experts with more impressive qualifications.
Brian Levine, a managing director at EY (formerly Ernst & Young), suggests that organizations will likely compare their cybersecurity disclosures to those of their peers and strive to do better. While the SEC may not directly determine whether credentials meet the requirements, market pressure can drive companies to prioritize cybersecurity expertise when seeking new board members.
The Emphasis on Experience
When considering the categories mentioned by the SEC, security specialists place significant emphasis on experience as a crucial factor in determining cybersecurity expertise. Many experts are not particularly impressed by certifications or university training alone. Although certifications like CISSP, CISA, CompTIA Security+, CEH, and CISM, along with computer science degrees, are considered helpful for management roles, they may be too specific for board positions.
Andy Ellis, an operating partner at YL Ventures, warns against relying too heavily on easily quantifiable metrics, such as certifications and degrees, in the search for talent. While these metrics may help identify candidates, they do not necessarily guarantee their suitability. Qualitative factors, such as the ability to ask the right questions and make critical decisions, are crucial for board members overseeing cybersecurity.
Brian Walker, CEO of security consulting firm The CAP Group, also questions the value of certifications at the Fortune 500 level. He emphasizes the importance of cybersecurity professionals’ ability to make real-time decisions, such as determining whether an incident qualifies as a reportable breach. The complexity of assessing materiality in cybersecurity incidents requires more than just a certification; it demands experience and a deep understanding of the field.
Recruiting vs. Training
Enterprises faced with the requirement to have cybersecurity expertise on their boards have two options: recruit cybersecurity experts externally or develop existing board members into experts. The former option can be challenging, as Fortune 500 companies typically have board members who come from three main backgrounds: CEOs and former CEOs of other companies, investors, and internal board members (typically the CEO, CFO, or COO). Finding true cybersecurity experts within these groups can be difficult.
Igor Volovich, the VP of compliance strategy at Qmulos, suggests that if demonstrating expertise through industry certifications is sufficient, existing board members may need to undergo certification bootcamps or executive cyber schools. However, Volovich points out the limited utility of such efforts in truly building expertise.
The SEC‘s intention in addressing the insufficiency of cybersecurity attention within large companies is apparent. While board members express support for security and risk mitigation, their actions often do not align with their words. Budget decisions and the delegation of authority to Chief Information Security Officers (CISOs) frequently fall short of what is needed to effectively address cybersecurity concerns.
An Editorial Perspective
Moving Beyond Surface-Level Metrics
The focus on certifications and degrees as indicators of cybersecurity expertise may provide some sense of assurance, but it falls short of comprehensively addressing the complexity of the field. While certifications can demonstrate a baseline level of knowledge, they should not be the sole criteria for evaluating cybersecurity expertise. Relying purely on easily verifiable metrics can lead to the overlooking of candidates with valuable experience and the ability to navigate nuanced challenges.
Emphasizing Critical Thinking and Decision-Making
To truly assess cybersecurity expertise, companies and boards must prioritize the ability to think critically, ask the right questions, and make informed decisions in real-time. The cybersecurity landscape is constantly evolving, and technical certifications alone may not adequately equip board members to effectively address emerging threats and vulnerabilities.
The Role of the SEC and Market Forces
While the SEC‘s requirement for cybersecurity expertise on boards is a step in the right direction, the reliance on market forces to determine what credentials are sufficient may not be enough. Setting clear guidelines and standards for cybersecurity expertise would provide greater certainty and consistency across industries. Additionally, the SEC should consider collaborating with industry experts and organizations to establish best practices and frameworks for evaluating cybersecurity expertise.
The Need for Holistic Cybersecurity Governance
Cybersecurity should be treated as a strategic priority and integrated into the governance of companies at all levels, from boards to management. Rather than viewing cybersecurity as a mere compliance obligation, organizations should embrace a proactive approach that considers cyber risk as an integral part of overall risk management.
Advice for Companies and Boards
Develop Comprehensive Cybersecurity Expertise Frameworks
Companies should develop their frameworks for evaluating cybersecurity expertise, ensuring they go beyond surface-level metrics. Consider a holistic approach that values experience, critical thinking abilities, and decision-making skills alongside relevant certifications and degrees. Tailor the framework to the specific needs and risks faced by the organization.
Invest in Continuous Learning and Professional Development
Cybersecurity professionals, including board members, should engage in continuous learning to stay up to date with the rapidly evolving cybersecurity landscape. This may involve attending industry conferences, participating in specialized training programs, and fostering a culture of knowledge sharing within the organization.
Consider Diversity and Collaboration
A diverse board that includes individuals with varied backgrounds and perspectives can enhance cybersecurity expertise. Seek board members with a range of experiences, including technical expertise, risk management, legal, and governance. Collaboration between IT, risk management, and board members can ensure a comprehensive and integrated approach to cybersecurity governance.
Evaluate Cybersecurity Governance on an Ongoing Basis
Regularly review and assess the effectiveness of cybersecurity governance practices within the organization. This includes evaluating the competencies and capabilities of board members, establishing clear communication channels between the board and management, and ensuring that cybersecurity risks and incidents are consistently addressed and monitored.
In conclusion, although the SEC‘s evolving stance on cybersecurity expertise on boards is a step in the right direction, more work needs to be done to establish clear guidelines and standards. Companies and boards must prioritize critical thinking, decision-making abilities, and the holistic integration of cybersecurity into overall governance practices. By doing so, organizations can better protect themselves from cyber threats and build resilient cybersecurity strategies for the future.
<< photo by Oxa Roxa >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- “Coro Bolsters Cyber Defense: Acquiring Privatise, a Network Security Startup”
- Rezilion Discovers Critical Security Flaws Omitted by CISA KEV Catalog
- Endpoint Detection and Response Products: SE Labs Releases In-Depth Comparative Analysis
- Is AWS Prepared for the Zenbleed Exploitation Epidemic?
- “Unprecedented Attack Wave: Mac Users Beware as Cybercriminals Target Cryptocurrency Wallets and Data”
- The SEC’s Bold Move: Strengthening Cybersecurity Incident Disclosure Requirements
- NATO Launches Probe into Suspected Breach of Unclassified Information Sharing Platform
