{"id":34709,"date":"2020-04-07T09:41:35","date_gmt":"2020-04-07T13:41:35","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?post_type=emagazine&p=34709"},"modified":"2023-05-05T10:07:46","modified_gmt":"2023-05-05T14:07:46","slug":"working-with-ciso","status":"publish","type":"emagazine","link":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/working-with-ciso\/34709\/","title":{"rendered":"Corporate boards need more members who ‘get’ cybersecurity"},"content":{"rendered":"

Do the boards that oversee many organizations know enough about cybersecurity risk to make the right decisions? Most said \u201cyes\u201d in a recent National Association of Corporate Directors (NACD) survey<\/a><\/u>.<\/p>\n

Meanwhile, data breaches keep going up<\/a><\/u>. The past year saw a record number of cyberattacks<\/a><\/u>. There were more than five thousand cybersecurity incidents reported worldwide in the first nine months, a one-third increase on the same period in 2018. The number of records exposed more than doubled, to near eight billion.<\/p>\n

Cost is rising, too. Kaspersky\u2019s 2019 survey found the average price tag of an enterprise cybersecurity incident is now 1.41 million US dollars<\/a><\/u>. It increases each year.<\/p>\n

Lawmakers and regulators are noticing the rising risk. So are investors and shareholders \u2013 in 2019, former directors and officers at Yahoo! settled with shareholders for 29 million US dollars<\/a><\/u>. The shareholders had sued them for failing in their duties after a breach of three billion<\/em> customer accounts.<\/p>\n

Boards have come a long way from the days when cybersecurity was just the IT department\u2019s concern. But if, as the NACD survey suggests, 60 percent of boards know enough to govern their company\u2019s cybersecurity, 40 percent don\u2019t. That\u2019s a lot of boards who admit to not knowing their endpoint from their elbow.<\/p>\n

Cyber knowledge should be the rule, not the exception<\/h2>\n

As cyberattacks and data breaches become more frequent and cause more damage, the need for effective cybersecurity governance becomes more business-critical.<\/p>\n

Information security expertise is no longer a nice-to-have. All boards and business leaders need it \u2013 from startup advisers to corporate directors.<\/p>\n<\/blockquote>\n

Professional associations now recommend cyber knowledge as the rule rather than the exception, and regulators are starting to require it.<\/p>\n

Take, for example, the popular risk management model \u201cthree lines of defense,\u201d from the Institute of Internal Auditors (IIA). It outlines who\u2019s in charge of keeping entities digitally secure. For 20 years, the three lines were operational managers, risk and compliance management and internal audit. A 2020 update to \u201cthree lines of defense\u201d will specify a role for the board<\/a><\/u>: \u201cGovernance, organizational success and value creation.\u201d<\/p>\n

The same thing\u2019s happening at the Federal Financial Institutions Examination Council (FFIEC). Last November, its updated Business Continuity Management guide, assigned the board and senior management ultimate responsibility for minimizing disruption<\/a><\/u> to critical business functions. Malicious threat actors often cause these disruptions<\/a><\/u>.<\/p>\n

The same organization\u2019s Information Security guide says the board should \u201creasonably understand\u201d the business case for information security and the implications of security risks<\/a><\/u>, and guide management accordingly.<\/p>\n

But are these expectations realistic?<\/p>\n

To most outside the field, cybersecurity is a mystery. How will board members learn enough to ask the right questions and give the Chief Information Security Officer (CISO) direction?<\/p>\n<\/blockquote>\n

Companies with digitally savvy boards do better<\/h2>\n

Knowing boards need help in their role as security watchdog, organizations like the World Economic Forum (WEF) and the NACD have advice.<\/p>\n

WEF has devised 10 cyber resilience principles for boards<\/a><\/u>. Two principles speak directly to cybersecurity roles and responsibilities: \u201cResponsibility for cyber resilience\u201d and \u201ccommand of the subject\u201d through cybersecurity training<\/a><\/u> and updates.<\/p>\n

The NACD has also issued a list of five core principles for boards\u2019 cybersecurity risk oversight<\/a><\/u>. Number one: A thorough understanding of cybersecurity and risk mitigation.<\/p>\n

But it seems boards need help making sense of cyber.<\/p>\n

Only 24 percent of US boards of companies with more than a billion US dollars in annual revenue are \u201cdigitally savvy,\u201d<\/a><\/u> according to a 2019 Massachusetts Institute of Technology (MIT) report. The report also says the companies with the digitally savvy boards had 38 percent higher revenue growth and 34 percent higher return on assets.<\/p>\n

The bar is high. To qualify a board as digitally savvy, the study authors recommend not one, but three technology-minded directors or advisors.<\/p>\n<\/blockquote>\n

It\u2019s easy to misunderstand or fail to listen to one tech-savvy director. For real change, there must be a critical mass.<\/p>\n

The remaining 76 percent of boards in the study lacked expertise in even common digital technology. For them, getting up to speed on cybersecurity will be hard. But it\u2019s possible, if they\u2019re willing to ask for help.<\/p>\n

Start recruiting cybersecurity and tech experts to boards<\/h2>\n

\u201cEvery board, no matter the industry, status or size, should include at least one cybersecurity expert among its membership,\u201d says William Killgallon, Executive Head of Security Risk and Crisis Management at GE Digital.<\/p>\n

A surprising number of boards fail this test. Independent corporate governance consultants Farient Advisors found, of companies in the S&P 500 (an index measuring the stock performance of the top 500 US companies,) only 16 percent had a technology or cybersecurity expert on their board<\/a><\/u>.<\/p>\n

Killgallon is on several boards. He says his expertise made the difference in one startup\u2019s fundraising: \u201cVenture capitalists asked pointed questions about security and privacy, especially data protection,\u201d he says. Company leaders had done their homework and recruited Killgallon to the board. They got the funding.<\/p>\n

\u201cThe money wouldn\u2019t have come without investor confidence that the leadership teams had, at the very least, done due diligence on cybersecurity and risk. Cyber-proficient board members who are also excellent communicators can teach the rest what they need to know,\u201d Killgallon points out.<\/p>\n

Today, cybersecurity expertise has become as essential to boards as understanding business requirements. Kaspersky CISO Andrey Evdokimov says having both is a win-win: knowing how the business functions and<\/em> how IT and security work in the context of business.<\/p>\n

\u201cToo often, management hasn\u2019t identified the organization\u2019s critical business functions \u2013 those that must remain up and running for the business to work. The organization\u2019s own CISO or cybersecurity managed service provider may not be able to put a dollar figure to the cost of a debilitating cyberattack.<\/p>\n

\u201cMany enterprises don\u2019t have a resilience plan. These should set recovery time goals for key functions and map network interdependencies, making sure critical systems can be restored fast, in the right order. To govern effectively, boards must hold its cybersecurity management accountable for the answers to these questions\u201d, Evdokimov says.<\/p>\n

Infosecurity management is not for dummies. It\u2019s for upper intermediates in business process management.<\/p>\n

Andrey Evdokimov<\/strong><\/p>

Chief Information Security Officer, Kaspersky<\/p><\/cite><\/blockquote>\n

\u201cThe cybersecurity talent gap means it can be hard to recruit those in-the-know to boards,\u201d Evdokimov acknowledges. He also points out struggling boards can always hire a cybersecurity adviser.<\/p>\n

How boards can go from cyber-questioning to cyber-smart<\/h2>\n

New regulation will keep driving boards\u2019 shift from cyber-questioning to cyber-smart.<\/p>\n

Nowadays, 58 percent of countries have data protection and privacy laws<\/a><\/u>. The European Union\u2019s General Data Protection Regulation (GDPR)<\/a><\/u> required strict data privacy practices in EU nations and those doing business with EU residents. The US state of California\u2019s Consumer Privacy Act (CCPA) followed suit in 2020. All include boards in the chain of accountability.<\/p>\n

And in the US, the Cybersecurity Disclosure Act of 2019<\/a><\/u> awaits debate in the Senate. If enacted, it would require every publicly traded company to disclose whether any board member has expertise in cybersecurity. If the board includes no such experts, the company must explain why.<\/p>\n

Why, indeed? In a time when everything and everyone is becoming digitally connected, boards must too.<\/p>\n

Bringing a cyber-expert (or three) to the table \u2013 or having closer connections to experienced InfoSec professionals and the board \u2013 may do much to protect your organization\u2019s systems and your customers\u2019 data.<\/p>\n

When it comes to cybersecurity, a little knowledge goes a long way.<\/p>\n

This article reflects the opinion of the author.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Company boards need to know enough about cybersecurity to govern effectively, but four in 10 boards admit they should know more.<\/p>\n","protected":false},"author":2557,"featured_media":48110,"template":"","coauthors":[3654],"class_list":{"0":"post-34709","1":"emagazine","2":"type-emagazine","3":"status-publish","4":"has-post-thumbnail","6":"emagazine-category-digital-transformation","7":"emagazine-category-enterprise-cybersecurity","8":"emagazine-category-safer-business"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/working-with-ciso\/34709\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/secure-futures-magazine\/working-with-ciso\/21713\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/secure-futures-magazine\/working-with-ciso\/20034\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/secure-futures-magazine\/working-with-ciso\/17050\/"}],"acf":[],"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine\/34709","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/emagazine"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2557"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/48110"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=34709"}],"wp:term":[{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/coauthors?post=34709"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}