The risks associated with cyberattacks have now become the topic of discussion at the senior most levels within organizations for many reasons. In January, The World Economic Forum (WEF) listed cybersecurity as one of the greatest threats to businesses globally. In their report they rank cybersecurity in the top 10 threats of 140 economies. They went on to place cybersecurity above the food crises, interstate conflict, terrorism and infection diseases.
This is why cyber risks are now a common topic at the senior most levels C-level executives and the Board of Directors) within an organization. Many CEOs have begun to ask their management team members tough questions about their cyber preparedness. A KPMG report disclosed that half of CEOs asked admit they are not fully prepared for a future cyber event. With the pace of change in the cyber threat environment, one has to wonder if anyone can be “fully prepared” for a cyber event. That has given rise to cybersecurity training (non-technical) programs specifically designed for CEOs, CFOs and COOs.
Cybersecurity has become such a huge risk, and concerns do not stop at the CEO. According to a recent survey conducted by ISACA and RSA, 82 percent of boards are concerned or very concerned about cybersecurity. It has also caught the attention of law makers. Late last year a bill was introduced in the U.S. Senate that is getting attention and not just in the United States. It is called the Cybersecurity Disclosure Act of 2015. The bill wants all publically traded companies to disclosure whether or not any member of the board of the publicly traded company has expertise or experience in cybersecurity. This information would be required in Security and Exchange Commission (SEC) disclosures. It goes on to state that if the board does not have a member with cybersecurity expertise or experience, the company must describe what has led them to determine that cybersecurity expertise or experience is not required at the board level.
In the introduction of the bill, it states that during a 2013 National Association of Corporate Directors roundtable openly admitted that “the lack of adequate knowledge of information technology risk has made it challenging for them to effectively oversee management's cybersecurity activities.” The bill clearly indicates that those behind the legislation believe that investors as well as customers deserve a clear understanding whether or not publicly traded companies are properly prioritizing cybersecurity risks, and whether or not they have the knowledge to protect investors and customers from cyber related attacks. It is difficult to imagine any publically traded company would not require cybersecurity expertise on the board given how dependent organizations are on connectivity and the push to go digital. One can only imagine the investors’ reaction if a company did not have the cybersecurity expertise on the board.
Clearly, cybersecurity is rapidly moving from being viewed as a tactical issue to a strategic business issue of critical importance for every organization. This won’t happen overnight, but all signs seem to indicate the inevitability of these changes. With all of these concerns and all of the attention cyber risks are being given, it is becoming more likely that we will see many more CSOs and CISO reporting into the CEO and outside cybersecurity business experts being given board seats. This will have significant implications for CSOs and CISOs. Clearly additional oversight by the board of directors is coming, even if this bill does not pass. CSOs and CISOs would be well advised to brush up on their non-technical communication and presentation skills. They should also begin providing board level cybersecurity information to all C-suite executives so that they are well briefed on the current state of cybersecurity risks and defensive actions put in place to minimize risks. Perhaps it is time the CSOs and CISOs devise an executive level scorecard that presents risks and counter measures over time and includes industry comparisons specifically for this purpose.