Answering burning questions from victims of cyber events.
Our board’s top priority is cybersecurity. We have a large information security organization led by a chief information security officer (CISO) and we’ve also sponsored several company-wide initiatives to promote awareness and enhance cybersecurity controls.
Currently, we have an open board seat we’re considering filling with a hands-on security practitioner. The concern is that the individual may not have the career history and successful track record of other board members.
Should we be concerned with an individual’s “business age” or rather, rely solely on expertise?
– Mr. Chairman of the Board
DEAR MR. CHAIRMAN OF THE BOARD:
Over two hundred years ago, Eli Whitney’s cotton gin revolutionized textile production. Over a hundred years ago, Henry Ford’s assembly line brought cars to the masses. Twenty-some-odd years ago, the internet began to change how companies conduct business.
None of these innovations were without their challenges. Eli faced patent infringement issues. Henry battled workers and unions. And today, the biggest challenge for modern online businesses is security.
Unfortunately, the original version of the internet didn’t prioritize security. And while several organizations and engineering task forces are redeveloping security standards for the internet’s next iteration, companies need trained security professionals at all levels — from entry analysts to the board room — to guide them through the application of security principles to mitigate an ever-changing threat landscape.
The role of a board member and why security expertise matters
Businesses need to morph and adapt to environmental and technological changes. For example, when mass adoption of corporate computers began to happen in the mid-1990s and companies started to become vulnerable to cyber threats, Citigroup created and appointed Steve Katz to the first-ever CISO role.
Today more than ever before, businesses must place a greater emphasis on safety and security. While the CISO role has matured significantly since its genesis, it hasn’t stood the same test of time as more traditional roles like CEO or CFO. As you asked, should that matter when appointing board members? Typically, the CEO and sometimes the CFO participate on the board and within their committees. Are they expected to bring the equivalent knowledge and expertise of security as with their line of business knowledge?
The primary purpose of a board is to provide oversight and strategic direction for a company, helping to align business initiatives and execute on vision. To meet these obligations, the board should be a diverse group, with qualified, successful, and tenured individuals who can help direct the path of the organization based on their experience and relationships.
According to a report issued via diligent.com, the average age of an S&P 500 board member is 63.5 and it continues to rise. There’s no disputing that wisdom comes with age and that boards need successful business minds. There’s also no disputing that the security mindset is not that tenured. But in my opinion, a diversified board should also include deep expertise in cybersecurity to provide guidance to the organization as well as board members — and that’s in addition to having the CISO role. Jointly, the security-focused board members and CISO would act as trusted advisors to each other or establish a mentor/mentee relationship, ultimately guiding and delivering a business-enabling cybersecurity program.
Fortunately, many boards are taking a greater interest in cybersecurity. Having seen countless ransomware attacks in the news and read the government-issued executive orders emphasizing the need for stronger security, safeguards, and planning, they understand that a successful cyberattack can cripple a company’s ability to operate, retain customers, and maintain a strong brand reputation. They know that the time for change and action is now.
(New technologies * new threats) = new board member skill sets
Being in the midst of a Fourth Industrial Revolution, the proliferation and adoption of technology will continue at exponential rates. Just as Eli and Henry introduced business-changing technology that brought unforeseen challenges, today’s businesses will experience the same pattern: new technologies will introduce new threats.
A company’s board advises on business matters. And they should be prepared to advise on the latest critical business matter: security. By adding a security skillset to a board, a company would be creating an innovative, future-proof team.
Arete IR Director Stephen Ramey is here to answer burning questions from victims of cyber events. If you have a question, please don’t hesitate to reach out at DearRamey@areteir.com. Arete wants to help by sharing our insight and experience.