Cybersecurity must be front and center in the boardroom. Where can boards start and evolve their cyber strategy?
Written by:
Karena Man
Technology consultant at Egon Zehnder
Will Houston
Consultant at Egon Zehnder
Cyberattacks have dramatically affected companies over the years.
Think about the data breaches at Target and Equifax, the digital heist against Sony Pictures, and the orchestrated ransomware attacks against hospitals at the height of the pandemic among many others. These occurrences underscore that no matter how sophisticated your company’s safety mechanisms are, hackers can likely find a way around them. However, that hasn’t always translated into companies bringing on board members with a cybersecurity spike.
What is happening inside the boardroom is that directors are more committed to understanding and being educated on cybersecurity.
Research shows that 68 percent of board directors are discussing the topic regularly or constantly. But boards are not fully wired to handle this critical issue because their composition remains largely focused on directors with a strong financial and commercial acumen—CEOs, CFOs, COOs—and, most recently, with ESG and DEI expertise. To become truly resilient, board leaders should not only personally commit to cybersecurity oversight but bake this competency into their governance. It is time to give CISOs and other professionals with cybersecurity expertise a seat at the boardroom table.
Boards are bearing the brunt of governing several challenges at once. Against an already complex backdrop, they cannot ignore the underlying role cybersecurity plays in ensuring companies can not only conduct their business as usual but continue to grow and innovate. By armoring their systems against a potential attack, or at least ensuring they can recover from one, companies can stay ahead of the challenge and safeguard not only the business, but its entire ecosystem—which is only the first step of a continuous effort to incorporate cybersecurity at the governance level. Beyond imminent risk, there is also the issue of emerging regulations.
To support boards and candidates as they navigate the journey to better cyber-preparedness, we created the following resources:
Cyber Regulation Affects Every Industry: Are Board Chairs Ready to Comply?
New regulation is knocking at the door of the boardroom to call for a higher level of preparedness on cyber issues. The U.S. Securities and Exchange Commission is proposing rule amendments to enhance cybersecurity reporting and oversight practices. If enacted, these rules will force boards—that are becoming more cognizant of the importance of cybersecurity—to significantly enhance their level of reporting and disclosing of incidents, including providing regular updates on past incidents and even an annual disclosure of directors’ cybersecurity expertise, if any.
According to the SEC, the amendments aim to “better inform investors about a registrant's risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents.” Justifiably so: Ransomware attacks rose 151 percent in 2021 according to the World Economic Forum. Cybercrime is a critical business peril. It also poses an accountability issue for board chairs across every industry. If conversions around current and imminent regulations weren’t already happening, boards should hurry up for two obvious reasons. The first is to enhance preparedness in the case of an eventual attack. And the second is that disclosure on cybersecurity (or lack thereof) can further expose companies to ill-intentioned actors.
Boards cannot afford to overlook cybersecurity. It is a pressing, and ongoing, issue. To become resilient against potential attacks, and to fulfil emerging regulatory requirements, company boards will need to set it as a strong priority. The new mandate to board chairs is to ensure members are getting educated on the matter; build a relationship with the company’s CISO; and bring either a qualified CISO or another professional (a former military officer, for instance) who has strong cybersecurity skills and a deep background in regulatory compliance. Aspiring board members, on their end, will need the tools to enhance their profile and preparedness to effectively serve on the board.
The time for boards to act is now.
Corporate leaders are the only ones who can ultimately crack the code on increasing cyber-preparedness while complying with legislation that will enable the business to keep innovating, growing, and thriving. And it will start by embedding a cybersecurity competence into the boardroom.
To support boards and candidates as they navigate the journey to better cyber-preparedness, we created the following resources:
Get on Board: Leaders with Cyber Expertise
A playbook for CISOs who want to rise to the boardroom
Corporate boards are quickly realizing that cybersecurity is no longer an occasional topic of discussion, but a looming issue they can’t afford to overlook. Pressure from investors, regulators, and consumers, along with an uptick in cyberattacks over the years, is also propelling a new wave of previously untapped executives to be considered for a seat: CISOs. But are they ready for board service? This playbook aims to bridge the gap between desire and ability to serve on a board by outlining practical steps for CISOs to embark on a transformation journey.
Cybersecurity on Board
A playbook for boards to elevate their knowledge on cybersecurity issues
It starts with the chair to commit the entire board with such a critical mission. But one director alone is not enough to ensure company resilience. It’s every director’s job to develop some cybersecurity literacy: risk factors, regulatory environment, legal implications—just like every director is expected to read P&Ls, balance sheets, cash statements, etc. The good news is board members are increasingly embracing the issue as part of their regular meetings and their own development. This playbook offers practical insights to boards looking to get smarter about cybersecurity.