Help the board understand where the business is vulnerable, where controls end, and where exposure begins.
For more than 15 years, the cybersecurity industry has been talking about communicating with the board of directors. It’s common practice for vendors to have e-books, webinars, and presentations about how and what chief information security officers (CISOs) should present to their boards — when they get the chance.
Along with a lack of opportunity, CISOs might have anxiety about presenting to the board because they are the only C-level executives without a tool of their own to measure ROI. From Salesforce to Workday to Marketo, C-suite executives have platform solutions aggregating, analyzing, and reporting on every aspect of the operation. There is no such solution for the CISO, making it harder to measure security program ROI or to demonstrate business value.
The irony is that, despite all the interest in presenting to them, to say cybersecurity is not a core competency of the board is an understatement. WSJ Pro Cybersecurity Research investigated the professional background of all S&P 500 board members and found that less than 2% “had relevant professional experience in cybersecurity in the last 10 years.”
No matter who you are, it’s difficult to have great interest in something you don’t understand. That is, until you’re motivated to learn. What we have in front of us now is a great awakening for boards and cybersecurity, courtesy of the Securities and Exchange Commission (SEC).
According to Harvard Business Review, “a proposed SEC rule will require companies to disclose their cybersecurity governance capabilities, including the board’s oversight of cyber risk, a description of management’s role in assessing and managing cyber risks, the relevant expertise of such management, and management’s role in implementing the company’s cybersecurity policies, procedures, and strategies.”
Read On Dark Reading.