The risks associated with cyberattacks have now become the topic of discussion at the senior most levels within organizations for many reasons. In January, The World Economic Forum (WEF) listed cybersecurity as one of the greatest threats to businesses globally. In their report they rank cybersecurity in the top 10 threats of 140 economies. They went on to place cybersecurity above the food crises, interstate conflict, terrorism and infection diseases.

This is why cyber risks are now a common topic at the senior most levels C-level executives and the Board of Directors) within an organization. Many CEOs have begun to ask their management team members tough questions about their cyber preparedness. A KPMG report disclosed that half of CEOs asked admit they are not fully prepared for a future cyber event. With the pace of change in the cyber threat environment, one has to wonder if anyone can be “fully prepared” for a cyber event. That has given rise to cybersecurity training (non-technical) programs specifically designed for CEOs, CFOs and COOs.

Cybersecurity has become such a huge risk, and concerns do not stop at the CEO. According to a recent survey conducted by ISACA and RSA, 82 percent of boards are concerned or very concerned about cybersecurity. It has also caught the attention of law makers. Late last year a bill was introduced in the U.S. Senate that is getting attention and not just in the United States. It is called the Cybersecurity Disclosure Act of 2015. The bill wants all publically traded companies to disclosure whether or not any member of the board of the publicly traded company has expertise or experience in cybersecurity. This information would be required in Security and Exchange Commission (SEC) disclosures. It goes on to state that if the board does not have a member with cybersecurity expertise or experience, the company must describe what has led them to determine that cybersecurity expertise or experience is not required at the board level.

In the introduction of the bill, it states that during a 2013 National Association of Corporate Directors roundtable openly admitted that “the lack of adequate knowledge of information technology risk has made it challenging for them to effectively oversee management's cybersecurity activities.” The bill clearly indicates that those behind the legislation believe that investors as well as customers deserve a clear understanding whether or not publicly traded companies are properly prioritizing cybersecurity risks, and whether or not they have the knowledge to protect investors and customers from cyber related attacks. It is difficult to imagine any publically traded company would not require cybersecurity expertise on the board given how dependent organizations are on connectivity and the push to go digital. One can only imagine the investors’ reaction if a company did not have the cybersecurity expertise on the board.

Clearly, cybersecurity is rapidly moving from being viewed as a tactical issue to a strategic business issue of critical importance for every organization. This won’t happen overnight, but all signs seem to indicate the inevitability of these changes. With all of these concerns and all of the attention cyber risks are being given, it is becoming more likely that we will see many more CSOs and CISO reporting into the CEO and outside cybersecurity business experts being given board seats. This will have significant implications for CSOs and CISOs. Clearly additional oversight by the board of directors is coming, even if this bill does not pass. CSOs and CISOs would be well advised to brush up on their non-technical communication and presentation skills. They should also begin providing board level cybersecurity information to all C-suite executives so that they are well briefed on the current state of cybersecurity risks and defensive actions put in place to minimize risks. Perhaps it is time the CSOs and CISOs devise an executive level scorecard that presents risks and counter measures over time and includes industry comparisons specifically for this purpose.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 October

This month in Security magazine, we explore how Corning's global security group ensured business continuity and employee safety during the global COVID-19 pandemic. Also, we highlight the global security team at Uber and their recent security programs and initiatives. Industry experts discuss travel safety programs, career hackers, working for terrible bosses, group attribution error and more.

View More Create Account

Cybersecurity Issues Now at the CEO and Board Level

Blog Topics

Security Blog

On the Track of OSAC

Recent Comments

Insufficient information

Thankyou so much for sharing such an informative...

I just wish my mechanical lock had a...

security

Security

Blog Roll

Security Industry Association

Security Magazine's Daily News

SIA FREE Email News

SDM Blog