Board-Level Security

What Directors Should Be Doing To Manage Cyber Risk, and Why They Don’t

7 min readMay 10, 2022

We live in interesting times. Not so long ago, security was seen as a technology problem, to be managed by technologists. It was the domain of techno geeks and hackers, an annoyance that never rose to the level of c-suites and board rooms. Early frameworks contained an acknowledgement that security done well requires governance, but that governance was executed by technology architects and operational management. A handful of publicly traded companies discussed technology programs and risks in the boardroom, usually to satisfy compliance obligations.

Over the last decade, there has been a change. Companies are relying on technology to get business done, regardless of industry. Data stored, processed, and transmitted via technology is the lifeblood of organizations. Public Board Directors are being sued or fined for failing to manage their cyber risks. Now the US Securities and Exchange Commission is weighing in with a proposal to strengthen cyber governance:

…investors would benefit from greater availability and comparability of disclosure by public companies across industries regarding their cybersecurity risk management, strategy, and governance practices in order to better assess whether and how companies are managing cybersecurity risks

You would think Chief Information Security Officers (CISOs) would be happy. Finally, there is interest from the top of the house, people ready and willing to step in and take ownership for ensuring the organization manages cyber risks well. Surely this will result in bigger budgets, CISO engagement in the C-Suite (without going through other people to get there), and a clear understanding of the business benefits of including CISOs in strategic planning efforts. Surely? Well, not so fast.

What Should Directors Do Now?

There are a number of resources out there, to help organizations and Boards of Directors to govern appropriately. The World Economic Forum created a guidance document in 2021 that lays out six guiding principals for cyber risk governance.

WEF 6 Principals for a Cyber-Resilient Organization: Cybersecurity as a strategic business enabler; Understand the economic drivers and impact of cyber risk; Align cyber-risk management with business needs: Ensure organizational design supports cybersecurity; Incorporate cybersecurity expertise into board governance; Encourage systemic resilience and collaboration — World Economic Forum Six Principals for Cyber Risk Governance (2021)

The National Association of Corporate Directors (NACD) came out with a Handbook on Cyber-Risk Oversight. They have five principals:

Understand and approach cybersecurity as a strategic, enterprise risk, not just an IT risk.
Understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
Set the expectation that management will establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget.
…include identification and quantification of financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through insurance, as well as specific plans associated with each approach.

These (and other) guides can be summed up this way:

Know your organization’s risk tolerance
Educate yourself about cyber risks, and how it is managed in your organization
Have your board committees organized so that appropriate attention can be paid to cyber risk, including having a Director who is a subject matter expert
Ensure the cyber risk program is incorporated throughout your organization, and is appropriately funded

How hard can this be?

Why Directors Struggle to Govern Cyber Risk

As it turns out, these recommendations are quite difficult for Directors to follow. Boards lack structure, skill and bandwidth (all of which are solvable in the longer term) and they are supported by a c-suite that also lacks structure, skill and bandwidth.

Knowing Your Risk Tolerance

An organization should have a risk register. One that is complete, actively managed and prioritized. Then, policies and processes are aligned to the same risk prioritization. And, any new business initiatives are evaluated against that risk prioritization before proceeding. No? Well, if your organization doesn’t have all this nicely tied up, you’re not alone.

It’s the Board’s job to establish “risk tolerance/appetite”, which should drive all the rest. But when it comes to cyber risk, the absence of top-down leadership has resulted in organizations that have created this from the bottom up. This approach creates messy inconsistencies and gaps. So a Board will need to evaluate what already exists (if anything) and make sure it aligns to their understanding of the risk tolerance of the org.

Educate Yourself on Cyber Risks

This is one of the easier parts to do. There are plenty of companies just waiting for the chance to charge Boards top dollar to come in and train them on the state of cyber risk as we know it. Governments and law enforcement agencies would be happy to talk to you. There’s lots of individual Director training, too. This is all great. Take advantage of it.

What is most relevant to you as a Board member is what risks YOUR company faces. And risk is contextual, based on your business model, industry, location, political leanings, social media presence, technology stack, operational processes, etc. etc. etc. External training resources won’t be able to help you with that.

Hopefully you have a great security team who can help you understand what they see on a daily basis, what trends are happening, and where they worry for the future. (When was the last time you spoke to the team ? The whole team, not just the security leader??). If your security leader doesn’t talk to you in a language you understand, you need to learn a new language just as much as they do. Find a way to learn together.

Be Organized

Traditionally, Boards have handled cyber risk like a compliance problem, owned by the Audit Committee. This is no longer an appropriate way to organize your Board to handle cyber risks.

Because everything your company does has a technology/data component, everything you do has a cyber risk component. If you confine cyber to the bottom of your meeting agenda with 30 minutes updates to the Audit committee once a quarter (or less), you are not giving it the attention it requires.

Cyber risks should be part of the full board agenda on a regular basis. There should be a committee dedicated to managing technology, and technology/cyber risk. Every major organizational decision (mergers, acquisitions, expansions, contractions, realignments, etc.) should be evaluated in light of the cyber risks it introduces and/or mitigates. Cyber risk doesn’t exist outside of business decisions — it is part of business decisions. Your Board should be structured to recognize that.

When looking for a subject matter expert to be on your Board to manage cyber risks, a warning: “Cybersecurity experience” is NOT simply “Technology experience”.

You can hire a CTO, or CIO, but unless they have sat in the seat of managing a Security Program, they do NOT have the necessary expertise to advise you on how to manage cybersecurity risk.

It would be like asking a General Practice Doctor to advise you on how to do Brain Surgery… same general discipline, very very different skills. If you need to have a Cybersecurity SME, look for a Cybersecurity professional — not just someone who has “worked in tech”. Also, respectfully, an academic security researcher is also not a Cybersecurity SME. There is much to learn trying to implement a security program in an organization, surrounded by laws, people, politics, organizational culture, budget wars, and the like, with which an academic researcher has no experience.

Incorporate Security Everywhere, and Fund It

The question Directors (and other stakeholders) should ask is:

“How much company value is cybersecurity protecting/enabling, and are we investing in security enough to protect our value?”

Because most Board members have never been trained on how to manage cyber risk (most MBA programs didn’t/don’t offer it as part of that program, let alone other kinds of executive training), they revert to the domains they know — finance/accounting and organizational management. So they ask “are we spending enough on our security program?”, then are disappointed when the answer is “there will never be enough”. They look for benchmarks to try to provide guidance (“what do our competitors spend?”) but that is the wrong approach too, as the risk profile of the company should drive the spend, and that is as unique as the company.

Boards should be thinking of Security as a business enabler, not a cost or administrative overhead. Until they do this, they won’t ask the right questions or ensure the security program has the comprehensive political support it needs to be successful.

Boards of Directors have a tough job.

Cybersecurity isn’t the only company risk, but as of right now it’s the biggest.

Cybersecurity isn’t something most of them know anything about, but now they need to learn.

Cybersecurity threats won’t wait for boards to get organized and start ensuring that cyber risks are managed well — and stakeholders won’t wait to sue Directors for lack of oversight when the security incident occurs.

Boards of Directors need Security leadership who understands what Directors are responsible for, and can explain the security program in those terms. Directors need to insist that security leaders are in the c-suite, informing strategy and learning the language of the business.

It’s about time Boards of Directors joined companies in responding to cybersecurity risk. It’s not too late to help everyone do better.

May 2022