CISOs and the board: bridging the cyber-security gap

Richard Starnes at Six Degrees argues for the urgent need for board-level cyber-security committees

 

A couple of years ago, industry analysts predicted that nearly half of company boards would have a dedicated cyber-security committee by 2025. Today, however, there remains a significant question mark regarding how much progress is being made and whether organisations are giving the issue sufficient priority.

 

For example, according to analysis published recently in Forbes, up to 90% of companies in the Russell 3000 lack “even a single director with the necessary cyber expertise.” In addition, only half of Fortune 100 companies have a director on their Boards with relevant cyber-security experience, while in the Fortune 200 and 500, only 9% have “cyber-savvy directors.”

 

Despite these worrying stats, it’s clear that boards of directors have a critical role to play in ensuring their organisations are protected against cyber-threats. In fact, organisations everywhere have gone beyond the point where cyber-security is just an IT issue. Today, it’s a fiduciary responsibility that requires the full attention of the board.

 

But for many boards, the key question, quite clearly, is how? One way in which a Board can meet this important area of responsibility is by creating a dedicated cyber-security or cyber-risk committee.

 

As Deloitte explains, “. . . one of the Board’s most important tasks is to verify that management has a clear perspective of how the business could be seriously impacted, and that management has the appropriate skills, resources, and approach in place to minimise the likelihood of a cyber incident—and the ability to mitigate any potential damages.”

 

Roles and responsibilities

In practical terms, the role of a dedicated cyber-security committee is to assist boards in addressing the increasing risks associated with cyber threats and by doing so, ensure they focus on a number of crucial requirements:

 

Increased cyber-security focus. By creating a dedicated cyber-security committee, boards can ensure that cyber-security risks are given the appropriate level of attention and resources within the organisation. The committee can focus solely on identifying, assessing, and mitigating strategic cyber-security risks, ensuring that the organisation is better protected against these risks.

 

Better decision-making. Such a committee can provide the board with valuable insights and recommendations regarding cyber-security issues. The committee can regularly report to the board on the organisation’s cyber-security posture, review areas which have been improved, and identify and prioritise those which require improvement, as well as recommend strategies for mitigating risks. This information can help leaders make informed decisions regarding cyber-security investments and strategies.

 

Access to experience and expertise. A dedicated cyber-security committee can also provide the board with access to cyber-security expertise that may not otherwise be immediately available to them. For example, the committee could incorporate external individuals who have specialised knowledge and experience in cyber-security, providing the board with a deeper understanding of the risks and opportunities they face.

 

Improved communication. With a cyber-security committee, a board can improve communication between management and the board regarding cyber-security issues. The committee can act as a bridge between management and the board, ensuring that the board is properly informed about cyber-security risks and strategies in a timely and effective manner.

 

Greater accountability. A cyber-security committee can also assist in promoting accountability within the organisation regarding cyber-security risks. By regularly reporting to the board, the committee can ensure that cyber-security risks are given the appropriate level of attention and resources, and that progress is being made in mitigating these risks.

 

One crucial point to remember is that whatever role and responsibilities a cyber-security committee is given, it doesn’t absolve the CISO of overall responsibility. The committee is there to work in concert with them, adding a level of support and independent assurance for the board that cyber-security risks are being handled within the risk tolerance levels they have established.

 

These are crucial considerations, and it’s clear that in many organisations, the boards of directors must work harder to protect against today’s risks and vulnerabilities. By creating a dedicated cyber-security committee, business leaders can increase their focus on cyber-security, make informed decisions, access expertise, improve communication, and, by doing so, fulfil their fiduciary responsibility, and assure regulators.

 

As a study by the Harvard Law School Forum on Corporate Governance puts it, “In exercising the board’s oversight function, we recognise that the best action for the board is to demand, review and analyse management’s plans for cyber risks.”

 

Those organisations that follow this advice will be more strongly placed to better protect themselves against cyber-threats, safeguard the brand, and position the organisation for success in the digital age.

 

---

 

Richard Starnes is Chief Cyber-security Strategist at Six Degrees

 

Main image courtesy of iStockPhoto.com