While the movement has still yet to gain critical mass, Zukis says that leading boards are not waiting for regulatory rules to push them into recruiting and educating directors with more cyber acumen. “They’re already doing this; they’re already building this expertise. Look at the General Motors board, which discloses that five of their directors have cybersecurity skills and competencies,” Zukis says. “They don’t say they’re all experts, but they’ve got some experience.”
In the same vein, several major companies have elected new directors with cyber expertise in 2023. At the beginning of the year Zoom brought on Cindy Hoots, who serves as CIO and chief digital officer for AstraZeneca, Nordstrom appointed Atticus Tysen, who serves as chief information security and fraud prevention officer for Intuit, and Astra Space appointed Julie Cullivan, who has had a string of executive positions at cyber companies like FireEye, Forescout, and McAfee, among others. Meantime, this spring Visa brought on Imperva CEO Pam Murphy to serve as a director on its board.
How boards can incrementally build up cybersecurity knowledge
For companies who have still not yet built up the cybersecurity expertise among its directors and reporting committees, there’s work to do, says Lam, who explains there are a number of ways to build up that “cyber-IQ”.
“One is you should get the right board talent in terms of risk and cyber expertise that’s appropriate to their risk profiles,” says Lam, who explains that companies leery of using up a hotly contested director seat for a cyber specialist simply need to broaden their recruitment parameters. For example, he’s been recruited as a corporate director because he brings both cyber and general enterprise risk management expertise to the table. Another colleague on one of his boards was retained because she was the CIO of a large financial organization and had not only cybersecurity but a suite of other technical capabilities. “She had cybersecurity, she had IT, and she had digital business experience. That was all very valuable.”
As organizations slowly morph their board composition, they also need to be careful to not get into a situation where one director is solely responsible for cybersecurity oversight and no one else minds that area of risk, warns Chenxi Wang, a longtime cybersecurity expert and venture capitalist who also serves on the board of directors for MDU Resources Group, a US-based energy and construction materials firm. She says the right approach is to mirror the way a healthy board approaches financial oversight.
“We have a financial expert on the board, but everybody’s responsible for financial. We have to educate the rest of the board,” Wang tells CSO. She explains that in her current role as a director, she’s the most experienced cybersecurity expert who acts as an internal champion and mentor to level up her fellow directors’ cybersecurity oversights. “Through my questioning, through my communication, the rest of the board gets exposed to the right ways of looking at the security program, how you ask questions, and the type of metrics that you want to see.”
Lam seconds Wang’s belief that a board can’t rely on a single director’s expertise. In addition to leaning on an internal board champion, he also recommends that board members–especially chairs of relevant committees like audit or risk committees–should be seeking out formalized training and certification for cyber governance. This training could come from DDN, the National Association of Corporate Directors (NACD) or numerous extension programs from universities around the world.
Of course, the risk there is not using that training as a stand-in for recruiting deep expertise among one or more directors in the long run, says Barbara Shurtleff, a fractional CISO, QTE certified, and member of the leadership committee for 50/50 Women on Boards, a non-profit aimed to bring gender balance and diversity to corporate boards.
“There’s been an explosive offering of cyber governance training in recent years. While that is a great step in the right direction, a lot of them vary as far as the quality of content goes,” Shurtleff tells CSO. “You can’t substitute somebody’s cyber experience and knowledge from a lifetime of professional experience into a two-week course. So, sending board directors to this type of training and saying they’re experts can be misleading.”
According to Zukis, besides recruiting directors with cybersecurity experience, corporate boards can also strengthen their cybersecurity oversight by adding more relevant committee oversight. Today the board committee most likely to oversee cybersecurity is the audit committee. Zukis warns that this can limit the depth of visibility and oversight because not only does this committee have a lot of other financial matters to oversee but it is also most likely to be led by those with deep financial backgrounds and very little cybersecurity knowledge. His recommendation is that more boards start up a technology and cybersecurity committee.
“With a tech and cyber committee we bring together a critical mass of digitally savvy directors to the table and we transform the way they understand risk, disclose risk, and disclose incidents,” he says, explaining that leading companies like FedEx set up committee oversight in this way. “This way you consider risk alongside the impact of the great innovations.”
Finally, as a formal tech and cyber committee is not yet on the docket, Lam suggests that boards utilize working groups to improve cybersecurity visibility and collaboration with CISOs and other security stakeholders in the organization.
“In a working group you have a couple of board members and you have a couple of executives–they’re small groups that pull up their sleeves with constructive dialogue and no minutes,” he says, explaining that a working group is usually formed ad hoc to solve a specific problem. For instance, it could be formed to improve quarterly or monthly cybersecurity reporting standards from management to the board. “Once you solve the problem, you dissolve the working group and integrate the work into an audit or risk committee.”