Engaging the Board on Cybersecurity
Corporate Boards of Directors (BOD) may soon be required to disclose their level of cybersecurity expertise. The recently-introduced Cybersecurity Disclosure Act (S.2410) would direct the SEC to work out the details of making publicly-traded companies “comply or disclose” their level of expertise. Of course, this new cybersecurity compliance initiative has immediately become controversial.
Pros and Cons
According to Kevin LaCroix, who writes on Cyber-Liability, supporters argue that S.2410 is a “moderate and reasonable ‘regulatory nudge’ that pushes public companies to give greater attention to cybersecurity issues without mandating an inflexible board structure or insisting that ‘one size fits all.’ I agree with the comments in support of the bill that the best approach to imposing cybersecurity controls on publicly traded companies is a “comply or disclose” approach.”
LaCroix also airs a counter-argument, that “encouraging public companies to change the composition of their board of directors represents misdirected pressure…to alter their board composition, when…a company [may need or prefer] board candidates with other types of skills or expertise.”
Security Architects Partners see a big challenge out in the market. We’ve witnessed first hand companies ignoring today’s real and present security threats and regulatory mandates. For example, a VP-level IT person recently rebutted my concern that hundreds of millions of the company’s consumer records are going unprotected with: “We’ve been doing that for years.” Articulating reliance on dumb luck as a strategy and getting away with it in a meeting seems to indicate a lack of any “tone at the top.”
However, we think the market can solve this problem, given enough investor awareness that it exists. The Cybersecurity Disclosure Act may never pass a gridlocked U.S. Congress. Nonetheless, we welcome the trend toward focusing on the need for security governance and risk management driven by executives with a pragmatic but realistic approach. We expect institutional investors such as mutual funds will start adding executive security awareness to the corporate governance scorecards, and publicly-traded companies will be reviewed accordingly. Such scrutiny will create yet another good reason for increasing awareness.
What We’re Doing
Security Architect Partners proposes to help raise executive-level security knowledge and awareness through our Security Leadership Services. Take a look. Briefly, they are:
- CISO Support Services
- Executive Cybersecurity Guidance
- Security Governance Review
- Risk Management Program Review
Executive Cybersecurity Guidance has been in the Service Catalog for a while, but could have been written for “S.2410 compliance.” Our curriculum is short on the fear, uncertainty and doubt (FUD) and long on information security governance. We actually don’t think business executives need “cybersecurity expertise” or that adding a “cybersecurity expert” to the Board is a panacea. Instead, we think all BOD members and executives need a basic awareness of security realities in 2016 and how to ensure security governance operates in the enterprise.
You can see from this discussion, from our recent DLP post, and from other content on this site that we’re focused on the business end of security as well as architecting the technology. We’re just as happy to be engaged by clients at the Board-level as by the CISO or other security management functions. That is, we can start from either direction. But here’s where we want your company to end up:
- Executives and BOD members have some basic training on what is cybersecurity and how to ensure it operates in the enterprise
- A security governance process is established
- A risk management program drives security policies, architectures and projects
- The right level of communication goes up on down between the CISO and business executive functions