{"id":1679,"date":"2025-01-28T21:16:23","date_gmt":"2025-01-28T21:16:23","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1679"},"modified":"2025-01-28T21:16:23","modified_gmt":"2025-01-28T21:16:23","slug":"5-ways-boards-can-improve-their-cybersecurity-governance","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1679","title":{"rendered":"5 ways boards can improve their cybersecurity governance"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

As chairman of the board for Cinturion Group, Richard Marshall is intimately involved in ensuring the security of the fiber optic network his company is constructing from India through the Middle East and on to Europe.<\/p>\n

The monumental Trans Europe Asia System (TEAS) will be difficult enough to build given it will be buried beneath thousands of land and sea miles. Making it even rougher is the fact that many of the countries that will host the cable do not much like each other, which presents potential cybersecurity issues.<\/p>\n

When he began his board-level career 16 years ago, Marshall says, he and his fellow governors probably would have delegated responsibility for securing this infrastructure to IT security \u201cpropeller-heads<\/a>.\u201d But today, with costly ransomware attacks<\/a>\u00a0and increasingly torching bottom lines, he says board members and their audit committees recognize they can no longer ignore such responsibilities.<\/p>\n

Directors know they must be more aware and directly involved. In fact,\u00a088% of them<\/a>\u00a0now view cybersecurity as a business risk as opposed to a technology problem, according to business analyst firm Gartner.<\/p>\n

\u201cI\u2019ve seen the change,\u201d says Marshall, who also chairs two other boards and serves as a cybersecurity consultant. \u201cBoards are becoming more sophisticated. They are also younger, so they tend to be more technically aware and likely to realize they have to get involved in mitigating risk.\u201d<\/p>\n

Adding fuel to their fire: the likelihood of more government regulatory pressure. For example, the Securities and Exchange Commission (SEC)\u00a0floated new rules<\/a>\u00a0that would require publicly traded companies to disclose their cybersecurity governance practices, including how boards oversee cyber risk. The announcement has prompted considerable debate and controversy. And while organizations are not required to appoint members who are versed in technology or cybersecurity issues, the proposed SEC rules would mandate that they divulge whether they have done so.<\/p>\n

That could be problematic for many organizations, because board members typically hail from business rather than IT backgrounds. Indeed, while the percentage of public companies with appointed technology-focused directors has grown recently, it still\u00a0stands at only about 17%<\/a><\/p>\n

Granted, good CISOs are\u00a0increasingly hard to find<\/a>, but that will not do, says the SEC. \u201cCybersecurity is already among the top priorities of many boards of directors, and cybersecurity incidents and other risks are considered one of the largest threats to companies,\u201d the commission\u00a0explained<\/a>\u00a0while promoting its rule change. \u201cAccordingly, investors may find disclosure of whether any board members have cybersecurity expertise to be important as they consider their investment in the registrant, as well as their votes on the election of directors of the registrant.\u201d<\/p>\n

So, how can technology-challenged board members get up-to-speed on cybersecurity? Experts say it doesn\u2019t require a\u00a0Certified Information Systems Security Professional (CISSP)<\/a>\u00a0credential or walking in the CISO\u2019s shoes for a day (although neither approach would hurt). Rather, they suggest a few steps to address coming regulations and provide better oversight.<\/p>\n

1. Appoint at least one cybersecurity expert to the board<\/strong><\/p>\n

Dr. Keri Pearlson, executive director of Cybersecurity at MIT Sloan (CAMS), has been studying the intersection of technology and business for more than 30 years and has published numerous papers involving cybersecurity. So, it made sense that the TMF Health Quality Institute, which was seeking cybersecurity expertise to address rising cybersecurity threats in that industry, would ask Pearlson to join its board.<\/p>\n

While other board members have interest, perspectives, and some experience in cybersecurity, Pearlson says her role is to provide deeper perspectives and guidance on key issues.<\/p>\n

\u201cI think boards are getting more mature, and members understand that responsibility,\u201d she says. \u201cThey manage business risk, and cybersecurity is a business risk. But they are not the same, and so part of my job is to look at the cybersecurity decisions they make to ensure they are sound.\u201d<\/p>\n

Some companies are building even deeper benches in cybersecurity expertise. A\u00a0Gartner survey<\/a>\u00a0predicts 40% of boards of directors will also have a dedicated cybersecurity committee by 2025, up from 10% today.<\/p>\n

\u201cMany boards of directors are forming dedicated committees that allow for discussion of cybersecurity matters in a confidential environment, led by someone deemed suitably qualified,\u201d said Sam Olyaei, research director at Gartner, in a statement.\u00a0<\/p>\n

2. Make cybersecurity governance a key agenda item<\/strong><\/p>\n

Corporate bylaws require boards of directors to meet at least once a year, but the frequency tends to vary by state. In some cases, it will be twice or four times a year. In the ideal situation, experts say, the cadence should be every six to eight weeks.<\/p>\n

That\u2019s largely because business and risk issues can change on a dime, and if a board is making decisions in January, they may no longer be relevant weeks or months later. This is especially true with cybersecurity, which must be a regular topic of discussion on every agenda, says Marshall.<\/p>\n

\u201cWhen I advise boards, I encourage them to have a CISO come in and make a quick report every time,\u201d he says. \u201cThat gives CISOs rapport with the board. And it helps educate board members, especially if the CISOs know how to talk to them from a business perspective.\u201d<\/p>\n

3. Look beyond risk to resiliency<\/strong><\/p>\n

Pearlson says board members need a different approach to cybersecurity: Instead of viewing it as being solely about mitigating technology risk, they should also prioritize resiliency, which includes how they would recover from a successful cyberattack.<\/p>\n

That requires a willingness to shift from believing attacks are mostly preventable to acknowledging that they will happen, so you need a plan for minimizing the damage, she says.<\/p>\n

\u201cAs a board member, you have to take the perspective that every company will likely experience a breach or attack of some sort,\u201d Pearlson says. \u201cYou also want to know that your company can absorb and recover quickly without downtime. I mean, wouldn\u2019t it be awesome if your company experienced a cyber incident but suffered no financial hit? No data loss? No system downtime? No reputational damage? That\u2019s the vision of where we should be going with cybersecurity.\u201d<\/p>\n

4. Get some training\u2014cyber skills fuel smarter cyber governance<\/strong><\/p>\n

Experts say that even with a cybersecurity-designate on the board, most members would be better at their jobs if they had a little training in the discipline. Pearlson, for example, notes her college, the\u00a0Massachusetts Institute of Technology<\/a>, offers courses specifically designed to familiarize board members with cybersecurity governance fundamentals.\u00a0<\/p>\n

In addition, Marshall recommends considering working with\u00a0cyber insurance<\/a>\u00a0providers who have a vested interest in ensuring their subscribers remain as secure as possible.\u00a0<\/p>\n

Outside consultants can be another effective option, he adds.<\/p>\n

5. Come together\u2014right now<\/strong><\/p>\n

Board members and CISOs don\u2019t always speak the same language, but they are increasingly finding common ground, says Pearlson. She recommends board members try to forge better ties with CISOs to stay closer to vital cybersecurity issues.<\/p>\n

\u201cWhile inviting CISOs to report to the board helps with identity, it doesn\u2019t build strong connections between board members and security executives,\u201d she says.<\/p>\n

Pearlson adds that her research found some board members and CISOs proactively connect in-between executive meetings to discuss cybersecurity headlines and potentially damaging incidents. Because they are more familiar with one another, they tend to be better prepared for partnering to tackle cybersecurity incidents as they arise.<\/p>\n

\u201cA cyber incident isn\u2019t the time to build a bridge,\u201d Pearlson says. \u201cThat should occur long before difficult conversations have to take place.\u201d<\/p>\n

Learn how to protect your business-critical endpoints and cloud workloads with the Tanium platform.<\/a><\/p>\n

This article was written by David Rand<\/em>\u00a0and originally appeared in\u00a0<\/em>Focal Point<\/em><\/a>\u00a0<\/em>magazine.<\/em><\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

As chairman of the board for Cinturion Group, Richard Marshall is intimately involved in ensuring the security of the fiber optic network his company is constructing from India through the Middle East and on to Europe. The monumental Trans Europe Asia System (TEAS) will be difficult enough to build given it will be buried beneath […]<\/p>\n","protected":false},"author":0,"featured_media":1680,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1679","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1679"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1679"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1679\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1680"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1679"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1679"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1679"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}