“Directors don’t grow on trees and, certainly, directors with cybersecurity experience don’t grow on trees”.
2 JUNE 2023 — There is an interesting piece in the Wall Street Journal today: companies shouldn’t wait for new rules around cybersecurity, privacy and emerging technologies to be finalized before preparing for them, lawyers say, particularly as senior executives with the right experience can be hard to come by.
Proposed cybersecurity rules from the U.S. Securities and Exchange Commission would require public companies to disclose which board members have security knowledge or experience, along with details about the board’s approach to cyber oversight. The SEC published draft rules in March 2022 and is expected to finalize them in the coming months. Said Dominique Shelton Leipzig, a partner in the cybersecurity and data privacy practice at law firm Mayer Brown:
“The board issue is coming fast and furious onto the table around the world”.
The SEC wants to see more transparency and board expertise to better protect investors from expensive and disruptive cyberattacks, said Kristy Littman, a partner at law firm Willkie Farr & Gallagher who until July 2022 was chief of the crypto assets and cyber unit in the SEC’s division of enforcement. Littman was speaking at the WSJ Pro Cybersecurity Forum on Wednesday.
Companies should start looking now for directors with cyber expertise or hire experts to advise them because there will be competition for a small pool of such people, she said, speaking at the forum. She said:
“Directors don’t grow on trees and, certainly, directors with cybersecurity experience don’t grow on trees”.
A barrage of legal proposals and recent regulatory penalties are also forcing corporate executives and directors to pay closer attention to their companies’ privacy and cybersecurity measures. In the European Union, upcoming rules on artificial intelligence and last month’s record-high privacy fine of $1.3 billion against Facebook parent company Meta Platforms are piling onto executives’ list of concerns. The ruling said Meta exposed European users’ data to surveillance by the U.S. government. Meta has said it would appeal the ruling.
Regulators are striving to catch up with the fast pace of technology development, especially in AI, which encompasses both privacy and security risk. The C-suite as well as the board should get involved in discussions about AI before business units and the tech team build expensive applications using the technology because upcoming rules could require them to make substantial changes to how those systems handle data. In a survey of 472 corporate board directors, 30% rated their board’s ability to oversee a cyber crisis as “expert” or “advanced,” according to a WSJ Pro Research survey published in March.
A number of other coming regulations also call for boards to step up their cyber and data protection competence. The New York State Department of Financial Services proposed changes last year to its cybersecurity rules for financial companies, requiring boards to include experts or hire external advisers in 15 different domains including network security, consumer data privacy and third-party service management. The agency is reviewing public comments on the amendments.
It would be unrealistic for any one director to have such a range of expertise. Many companies will opt to hire consultants to help directors ask the right questions of chief information security officers and other executives responsible for data risks.
We wanted to get some deeper perspective so we had a chat with our primary source on cyber matters, Steve King. We always turn to him first in all-matters-concerning-cyber due to his 20+ years in senior leadership roles in cybersecurity and technology development. As always, Steve can provide a “Big Picture” view – as well as a fine granular view of each detail. A few bits from that conversation:
Project Counsel Media (PCM): The Journal article. Thoughts?
Steve King (SK): As you well know I could talk about this for hours. One of the biggest issues I have when putting business and technology professionals in a room together, especially with a Board of Directors, is that cybersecurity is usually discussed using highly technical language which means nothing to anyone. So, finding a common vocabulary is important not just for ensuring clear communication between the C-suite and the cybersecurity function but also for raising awareness about potential cyberthreats and risks among employees throughout the company. To have a “cyber competent” Board member makes the world of difference.
PCM: Which also gets to a chat we once had about comfort zones.
SK: Yes. We believe that the cybersecurity team has a fundamental duty to illustrate how cybersecurity is part of the business process and can help drive revenue. In order to do that, the team must rise above their comfort zone and speak in terms that normal folks understand. These cyber-discussions should take place regardless of whether the company is facing an imminent threat or not. For instance, one effective stage-play might be a simple breakdown of a typical security-event drill that provides members of the board and the C-suite a step-by-step overview of what would happen in a typical attack. But you need a cyber savvy Board to make it work properly.
PCM: Can you get into a bit more detail about training for our new readers?
SK: Sure. A program that delivers all levels of training, for cybersecurity practitioners, engineers, analysts, CISOs, non-CISO executive suite and board members, along with everyone else in an organization in a curated context that will insure everyone is getting exactly what they need, when they need it and in a consumable, consistent and repeatable set of programs overseen by an assigned success manager who assures that value is continuously extracted and applied. An online learning program designed to be an extension of an organizations’ expanding purview over Cybersecurity education, delivery, absorption and execution.
But my issue … and as you know I am continually pounding the desk on this … is that if we don’t do something really soon, it won’t matter how many new technologies we invent, how much new cyber-threat awareness we create in our corporate boardrooms or how many new initiatives we create around the traditional approaches to managing cybersecurity. If we don’t shift our approach to a risk management model, re-build our cyber-defense infrastructure on the basis of a Zero Trust architecture, and staff it with an abundance of trained warriors, we will continue to retreat from this cyber-war front in the business of business, out-resourced, out-smarted and out-intimidated by opposing forces unencumbered by layers of social justice and political correctness, just as we have been doing for the last 20 years. But a “cyber-threat aware” Board will help immeasurably.
PCM: Ah, this reminds us of our recent chat about the spreading attack vector, and your analysis of ChatGPT.
SK: If we could just lay aside ChatGPT for a moment, let’s look at the bigger picture. Constant internal pressure to leverage new paths to digitization, exploding attack vectors and the shift in both professional and now personal liability for C-level executives and Board members has created additional layers of economic risk unprecedented in the history of business. My experience is that the board simply does not trust either the IT or Security leadership; they don’t trust that either team understands the business nor could make the right executive decisions were they in charge, and as a consequence, the board will not relinquish the reins of leadership outside of their domains. But a cyber savvy Board member tips the scales, in a favorable direction.
PCM: So it enables the strategy?
SK: Exactly. It means translating that strategy into language that the board will understand and contextualize outside the standard threat/consequence matrix, so that professional risk decision makers can make determinations aligned with realities that they can now understand. We may not be able to fix leadership issues at the national or international levels, but nothing stops us from doing so within our own domains.
And to close, security experts are treated as mythical knowledge priests, but held far more weirdly than doctors or chemists, as regular folks just don’t comprehend what these people actually do. Corporations give their CISOs lots of serious money, they weave some incomprehensible computer science together, and the board (too often) reads reports that no one understands and everyone prays that nothing bad happens on their watch. So the Wall Street Journal is right: go out and grab all the cyber pros you can. And we can help.
For more about Steve’s organisation, his cyber work and how he can assist your company contact him via LinkedIn (click here).