Want a board-level cybersecurity expert? They’re hard to find

by Alan R. Earls, TechTarget, SearchSecurity, November 16, 2016

Members of the board must be ready to defend their fiduciary decisions, corporate policies, compliance actions and, soon, cybersecurity preparedness.

Pity the corporate board. Not that long ago, many boards of directors had a relatively sleepy existence, proffering guidance from time to time, but actually taking action only in the rarest of circumstances.

Nowadays, boards must be ready to defend their fiduciary decisions, corporate policies, compliance actions and, perhaps soon, even cybersecurity preparedness. According to experts, a growing number of companies are seeking cyber-savvy board members; but it’s still far from a majority.

However, in an effort to ensure greater cybersecurity preparedness, U.S. Sen. Jack Reed (D-R.I.) and Susan Collins (R-Maine) introduced the Cybersecurity Disclosure Act of 2015 to Congress in December 2015. Designed to promote transparency, the proposed bill — S. 2410 — would require publicly traded U.S. companies to have at least one cybersecurity expert on their boards.

At this point, the Cybersecurity Disclosure Act is still far from becoming the law, but the fact that Congress has taken notice of the matter underscores how seriously the cyberthreat is regarded.

At the leading edge

“I have noticed much more interest in the [cybersecurity] area from the boards of directors for both for-profit and nonprofit entities,” said Braden Perry, a regulatory and government investigations attorney with Kansas City, Mo., law firm Kennyhertz Perry.

The major driver for the change is the genuine disconnect between business and IT.

“Many boards are filled with very sophisticated business people who are not sophisticated in areas of information technology and security. Information security has become a real issue and a void most boards have,” Perry said. As a result, boards are becoming more active in searching for individuals that can guide the company on security issues.

When organizations have added a board-level cybersecurity expert, it’s often a CIO who has had the visibility and mindshare around information security.

On the board

Security experts who actually serve on boards, such as Jonathan Gossels, echo many of these observations and offer a few of their own. While technically and legally the directors represent the interests of the shareholders, the vast majority of companies are closely held, so the shareholders are mostly part the management team, a few angel investors and friends and family. “This is the case even for many companies in the $50 million to $500 million revenue range,” said Gossels, president and CEO of SystemExperts Corp., an IT security and compliance firm in Sudbury, Mass.

Just as “only your friend can tell you that you have bad breath, our job is to say ‘no’ to bad ideas or to push for needed controls,” he said. As far as cybersecurity goes, Gossels’ role has been to slowly educate management and the other directors about compliance, from minimum levels to “aspirational” requirements. “It takes time to bake cybersecurity thinking into the fabric of an organization,” he added.

Unless there’s been a widely publicized breach, many boards do not focus on cybersecurity preparedness or view requirements, outside of regulations, as major corporate risks.

To read the full article click here.