Last week, I had the opportunity to moderate a panel at the NACD Summit, where I was joined by: Deven Sharma, Former President at S&P; John Katko, Former Member of U.S. House of Representatives; and Aaron Hughes, CISO at Albertsons. The National Association of Corporate Directors (NACD) holds its summit annually to empower directors and transform boards to be future ready.
Our panel discussion focused on how board members can strategically oversee their organizations’ cybersecurity resilience. For full disclosure, Deven sits on the board of SecurityScorecard, while John and Aaron sit on our advisory board.
Understanding the fiduciary duties of the cybersecurity realm, learning about board-level metrics, and exploring effective communication strategies to ensure cyber risk remain top priorities for an organization’s strategic agenda. And the last several years have seen a shift away from voluntary cybersecurity compliance to a more aggressive regulatory approach. After decades of holding the CISO and security teams more or less solely accountable for their organizations’ cyber postures, there’s a growing emphasis to make cybersecurity a team sport—one where boards and multiple stakeholders have skin in the game.
The U.S. Securities and Exchange Commission (SEC) has released a set of regulations requiring publicly-traded companies to disclose new details about cyberattacks, as well as cybersecurity oversight at the board level. These and other regulations highlight the importance for executive boards to approach and address cybersecurity risks like any other material business risk. Boards of directors, executive teams, and CISOs all need to be able speak the same language when it comes to their organization’s security posture and cyber resilience; but CISOs and boards face a learning curve when it comes to establishing successful two-way communications.
We’re also living in a time when boards are expected to react more quickly than ever. Case in point: recent data from CrowdStrike shows that the breakout time of when a computer becomes infected and how long it takes for a hacker to take over your entire network has been reduced from 84 minutes to 79 minutes. They have to be prepared to make faster decisions and understand the risks they face in real-time.
There are common misconceptions or blind spots that board members may have when it comes to cyber risk. Deven Sharma pointed out that board members have to be cyber literate in order to understand that cyber risk is an existential threat to businesses. If you don’t understand what a gross margin is, the other board members would be suspicious. The same goes for cyber issues; having a deeper knowledge about what their organization is facing is now a requirement.
Sharma also pointed out that breaches don’t just affect a company’s cybersecurity, they affect the stock price, market capitalization, as well as customer trust. According to Diligent’s 2023 survey, only 9% of board members have technical expertise. What’s more, half of the companies surveyed have no technical expertise on the board at all, which is especially concerning.
With cyberattacks on the rise and the average cost of a ransomware breach at more than $4.5 million, there’s now a greater emphasis on measuring cybersecurity and the need for a more transparent approach to cyber health. Organizations have outside auditors validating their numbers, so in turn they should have independent, outside entities looking at the metrics their security teams are presenting as well. Congressman Katko also echoed the need for a greater focus on metrics and measurement in cybersecurity.
In terms of cyber regulations, Katko noted the delicate balance that has to be struck, especially with the potential legal blowback it may create. When he helped author the CIRCIA bill, he said it was a challenge to incentivize companies to share information on breaches and cyberthreats with an understanding that it could open them up to significant liabilities: Katko emphasized that organizations will be reluctant to share if they believe telling someone about a vulnerability will create legal challenges. He went on to say, “So we sought to define the exact areas that required companies to disclose threats to the government, and built a mechanism to ensure they would have liability protections for sharing that information with the US government.”
Congressman Katko also indicated that the more attacks we see, the more likely it is that broader regulations may emerge if Congress and regulatory agencies don’t understand what companies are doing proactively to measure, manage, and communicate their risk. When Congress doesn’t feel that progress is being made, they tend to react. Members don’t understand the technical details of cyber, but they have to do something if they don’t feel progress is being made. There will be good harmony between the government and private sector if organizations take cyber hygiene seriously and maintain good posture
As someone who is a CISO who presents to the board and also serves as a sitting board member, Aaron Hughes offered his unique perspective on these issues. CEOs and board members are finding it exceedingly complex in this current climate to accurately identify risk, much less reduce it; this is why shifting the makeup of boards is needed. The percentage is still small, however there is a wave of new board members coming from the technology sector and beginning to fill the gap of navigating this new world.
In terms of the SEC’s requirements, Hughes shared that in addition to acting with trust and transparency, CISOs must also prioritize significant education for board members to fully understand why cybersecurity investments matter.
Hughes also stressed the importance of using Security Ratings to manage third-party risk and communicate it to the board. Cybersecurity ratings support broader third-party risk management programs by making data collection more effective, and ensuring continuous monitoring of supply chain security. With most public companies managing thousands of third parties, security leaders need a way to gather information quickly from these companies to triage potential risks and prioritize which third parties to work with on risk remediation. Ratings are a signal to understand where to focus.
I thank my brilliant panel for joining me in this thought-provoking discussion about the future of cybersecurity at the board level. I look forward to more of these conversations, and seeing how board members and CISOs can improve their communication.