Why today’s CISOs need a seat on the board

The daily barrage of cyber-attacks and data breaches pose significant threats to all organizations and no enterprise is immue to the risk of becoming a victim of cybercriminals. 

With this in mind, there is a clear argument for CISOs, with valuable cyber security expertise, to have a seat on the board. They must also evolve their reporting to the board to include risk-assessments and quantitative projections of potential risk loss exposure. 

The board has a fiduciary responsibility for cyber security oversight given the potential threat a breach poses to the operational and fiscal stability of the organization.

However, far too many organizations ‘check the box’ equating and conflating regulatory compliance to cyber security controls. It isn’t!

Valuable expertise

Cyber is a complex, ever-changing technical area that requires exacting expertise. 

Such expertise are rarely possessed by board members whose understanding of financial and operational risks does not directly translate into quantifying or qualifying cyber risks and their impacts.

Investors and regulators alike are finally challenging boards to step up their oversight of cyber security including increased management reporting of major breaches and expertise in assessing cyber-related events.

It is time for cyber security professionals to have a seat at the table to ensure this escalating risk is not only being reported to the board, but is being properly assessed, understood and addressed.

From metrics to risk-assessment

To meet this need, CISOs must transition their current board reporting of key performance metrics and infrastructure threat discussions to risk-assessments and quantitative projections of potential risk loss exposure.

To support this transition, in March 2022, the Security and Exchange Commission (SEC) proposed new rules for publicly traded companies.

The SEC said such companies must “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting”.

Additionally, the World Economic Forum’s Centre for Cybersecurity published global recommendations in 2017 to advance the principals for cyber resilience and cyber strategies for board directors and CEOs to take action on cybersecurity.

These actions will not only significantly expand breach-reporting requirements but also reinforce the need for board oversight of cyber risk by understanding the potential economic impacts of such events.

Decicated committees 

By 2025 40 percent of boards of directors will have a dedicated cyber security committee overseen by a qualified board member, up from less than 10% today, according to Gartner. 

This is of one of many organizational changes Gartner expects to see at the board, management and security team level, in direct response to escalating risk created by the expanded digital footprint and increased attack surface of organizations in response to pandemic supply chain and service delivery needs.

Within the US, California continues to lead the way in this area, mandating cyber security expertise on the board. Having a cyber-expert on the board will help ensure that threat messaging effectively communicates the risks and business impacts to the organization and validates the security efforts untaken by management are commensurate with the controls needed.

Do you agree that CISOs deserve a seat on the board? Let us know your thoughts by leaving a comment below.