“It's easier to fool people than it is to convince them that they have been fooled.”
– Mark Twain
Cybersecurity is mission-critical for all companies, large and small, privately held or publicly traded, and CXOs integral in ensuring their boards of directors are equipped to meet their fiduciary responsibility to their organizations.
Board members’ role entails overseeing enterprise risk (including cyber, but also operating risk, credit risk, market risk, etc.). Managing cyber risk requires boards to understand fundamental factors that influence and affect your organization’s exposure to cyberattacks. Regulatory pressures, technical challenges, organizational culture, and business partnerships all directly impact your organization’s cyber risks. There are various elements to consider when assessing, managing, and acting to improve your organization’s response to cyber risk.
Cybersecurity may have served as a mere component of risk oversight in the past, but it has climbed the ranks of important risks on both the probability and impact scales. Cyberattacks have not only become omnipresent, they have also created the risk of severe financial loss in addition to significant reputational damage.
Cyber risk can be assessed in three areas:
- The amount of risk that can be accepted by the organization (acceptable loss)
- The amount of risk that can be transferred to a third party through cyber insurance
- The amount of risk that can be mitigated with investments in cybersecurity technology, training, etc.
With CXOs’ guidance, boards can play an important role in determining acceptable loss and creating risk transference strategies.
Today's CXOs must assist boards in expanding their knowledge and understanding of cyber risks facing their organizations and current cyber positioning so boards can proactively ensure that executive management takes action.
How did we get here?
Information technology, and an organization’s need to use it to stay competitive, has become increasingly complex over time. Cybersecurity has likewise followed suit, becoming more complicated in the quest to defend enterprises where employees, applications, and data can be anywhere. Technology such as end-user computing, cloud, and data centers became a major focus, along with the firewalls, proxy servers, and data loss prevention engines meant to protect those assets.
Due to these developments, a leadership role of ever-growing importance has emerged: the CISO’s ultimate responsibility is protecting and setting policies for an organization’s people, computer hardware, software, and information assets. This security-specific focus caused the CISO role to begin separating from IT and the rest of the executive team and board.
From 2007 onwards, technology’s pace quickened with the launch of the cloud. Market share and investment slowly moved away from in-house data centers to Infrastructure as a Service (IaaS) vendors like Amazon Web Services (AWS), Google’s Cloud Platform (GCP), and Microsoft Azure. At the same time, organizations started to adopt Software as a Service (SaaS) platforms, with companies such as Microsoft, Google, Salesforce, Workday, and Zoom.
Price, time to market, developer productivity, and the ability to leverage massive computing capability were the biggest drivers behind cloud adoption. This gave organizations a competitive advantage in the market but resulted in their data being distributed across their own data centers and these IaaS/SaaS solution providers, as well as across multiple geographic locations.
From a cybersecurity perspective, this created a major organizational risk, as data had to be protected everywhere it was located. Many cloud services and platforms also have data-sharing capabilities that require enforcement. Traditional network and security architectures didn’t evolve fast enough to manage cyber risk in this new world.
As a result, there have been several very public, well-publicized breaches and information disclosures due to the new technological advancements. Some have resulted in firm enforcement actions, such as successfully prosecuting ex-Uber CISO, Joseph Sullivan. Similar moves by the SEC have been taken against the CISO of SolarWinds following their breach in 2020. Today, legal culpability for complex security issues is creating significant consternation and worry across the industry, particularly for CISOs and board members. The SEC issued a ruling in July 2023 formalizing what is required in the event of cyber breaches.
On July 26, 2023, the SEC issued a ruling on cybersecurity, requiring the following from public companies (after a transition period):
- disclosure on any cybersecurity incident that is determined to be material
- description on the material aspects of the incident's nature, scope, and timing
- declaration of the material impact, or reasonably likely material impact, on the company
This would be due four business days after a company determines that a cybersecurity incident is material, but can be delayed if there is a substantial risk to national security or public safety. This would be determined by the United States Attorney General.
In addition, the ruling requires disclosure of the relevant expertise of company management that is responsible for assessing and managing material cyber risks. Finally, the rule requires periodic disclosures about a company’s processes to assess, identify, and manage material cybersecurity risks, which includes both the role of management and oversight provided by the board of directors.
The need to better understand the risk exposure, mitigating investments, and timescales for completion have become required topics on board meeting agendas. For some cyber-forward boards, cyber risk oversight has become more formalized, with some companies creating dedicated audit committees or task forces to focus specifically on cyber risk or broader risk management. These committees may include board members with expertise in technology, risk management, or cybersecurity, and external advisors such as cybersecurity consultants or legal experts, who may also be responsible for process maturity assessment.
To balance ownership with the CISO, in some organizations there is also a Chief Risk Officer (CRO) who is responsible for security policy. The CRO or CISO’s role entails executing cybersecurity policy. The board members are then responsible for ensuring that special roles in the company (such as the CISO and CRO) have dual reporting lines inside the organization and directly to a board committee. Typically, the CISO/CRO will provide quarterly updates to the Audit Committee, while the CIO will update the entire board yearly.
In addition, the internal audit and compliance (legal) functions within an organization can also help with managing cyber risk. These functions can ensure that the company is complying with legal and regulatory requirements as they relate to cyber and identify any risks or weaknesses in the company's internal controls.
This is part one of a series of posts dedicated to helping CXOs understand and excel in their board-level interactions. The next installment will advise on raising boards' understanding of key issues in cybersecurity.
What to read next