How to Prepare for Heightened Board Involvement in Cybersecurity
The regulatory landscape is changing around cyber breaches and incident management. The U.S. Securities and Exchange Commission (SEC) announced a new rule in July 2023 that requires companies to disclose material cybersecurity incidents much earlier—within four business days—or risk fines or other punitive actions.
The SEC explained that the rule was being enacted because so many cyberattacks and incidents have deep, material ramifications on the value of the affected entity, which could directly change shareholder value. Not adequately disclosing this information in a timely manner could skew shareholders’ decisions to invest in a company.
This action is likely to dramatically ramp up interest from boards of directors and C-suite leaders about their organization’s cybersecurity posture, preparedness, and incident response plans, says Fayyaz Makhani, global cybersecurity architect at global cybersecurity and compliance company VikingCloud. Makhani notes that the SEC rule and related charges against SolarWinds are a reminder that the responsibility for cybersecurity cannot rest solely on the CISO’s shoulders.
Security Management caught up with Makhani via email in November about the latest evolution in cybersecurity regulation and what it means for boards, cybersecurity professionals, and the industry at large.
Security Management (SM). What does effective board-level oversight into cybersecurity look like? Is anyone currently doing this well?
Fayyaz Makhani. Effective board-level oversight into cybersecurity involves a comprehensive understanding of the organization’s cybersecurity posture, including its strengths, weaknesses, and vulnerabilities. Boards should work closely with the CISO to ensure that the organization’s cybersecurity posture is aligned with its business objectives.
Boards can take several actions to provide effective cybersecurity governance. These include:
- Add cybersecurity expertise to the board. Just as boards have financial, legal, and economic expertise, you want someone who understands the risk involved and can provide strategic oversight.
- Board members can connect with CISOs to become more knowledgeable on cybersecurity topics so they can ask informed questions.
- Board members can take part in incident response simulation exercises, which provide valuable insights into preparedness and the organization’s capability to respond and recover.
There are several boards now that include cybersecurity reporting as a regular part of the meeting agenda. This is a great starting point for the boards to get into a regularized, routine, and up-to-date view of cybersecurity risks.
SM. How can organizations start pushing for a more unified, comprehensive approach to cybersecurity—is this driven from the board or from the CISO/security executive?
Makhani. To be successful, this needs to be a collaborative effort. The starting point can be as simple as the board, in its leadership role, establishing regular and meaningful reviews. Knowledge gained from these reviews can bring to light areas that require additional support and security objectives that need to be realigned to the business objectives.
SM. How can a security executive bring the board into more cybersecurity discussions and decisions?
Makhani. Increasing regulatory demands, compliance, and lawsuits can be a gateway to these relationships. Reporting regulations across the world are shifting and increasing the focus on the board of directors and their knowledge to deal with and respond to cybersecurity threats. With the large financial fallout from recent security incidents drawing significant attention to the bottom-line impacts wrought by cybersecurity threats, board of director awareness for cybersecurity incidents is high. Meantime, new regulations from the U.S. Security Exchange Commission (SEC) on disclosure are expected to thrust many more of these incidents into the headlines—by forcing public companies to become much more transparent about security incidents when they arise.
Security executives can utilize these ideas to initiate or further these conversations with the board.
SM. What communication skills or approaches have you found effective when discussing cybersecurity with board- or C-Suite-level leaders?
Makhani. When discussing cybersecurity with board- or C-suite-level leaders, it is important to communicate in a way that is clear, concise, and easy to understand. Avoid using unnecessary technical jargon and domain-specific terms that may not be familiar to everyone. Instead, focus on the business impact of cybersecurity and how it relates to the organization’s overall objectives.
We coach our security leadership clients to:
Speak in terms of risk. Boards and C-suite-level leaders are primarily concerned with risk management. Therefore, it is important to frame cybersecurity discussions in terms of risk. Explain how different cybersecurity measures can help mitigate risk and protect the organization’s assets.
Use analogies. Analogies can be a powerful tool for explaining complex cybersecurity concepts in a way that is easy to understand. For example, you could compare cybersecurity to a game of chess, where each move has consequences and requires careful planning.
Focus on the big picture. Cybersecurity is just one aspect of the organization’s overall risk management strategy. Therefore, it is important to focus on the big picture and how cybersecurity fits into the organization’s overall objectives.
Be prepared. Boards and C-suite-level leaders are busy people. Therefore, it is important to be well-prepared for cybersecurity discussions. Have a clear agenda, be ready to answer questions, and provide relevant data and metrics to support your arguments.
SM. What are some lessons that organizations can take away from the SolarWinds SEC charges regarding board involvement in cybersecurity?
The SolarWinds hack was a wake-up call for many organizations, highlighting the need for a more proactive approach to cybersecurity. The SEC charged SolarWinds and its chief information security officer with fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.
We can learn several lessons from the SolarWinds SEC charges:
Boards should be actively involved in cybersecurity decisions. Cybersecurity is no longer just an IT issue. It is a business issue that requires the attention of the entire organization, including the board. Boards should be actively involved in cybersecurity decisions and should work closely with the CISO to ensure that the organization’s cybersecurity posture is aligned with its business objectives.
Procedures to mitigate liability and meet compliance needs. Organizations should have well-defined procedures in place to mitigate liability and meet compliance needs. These procedures should be reviewed and updated regularly to ensure that they remain effective in the face of evolving threats.
Importance of cybersecurity awareness training. Employees are often the weakest link in an organization’s cybersecurity defenses. Therefore, it is essential to provide regular cybersecurity awareness training to all employees to ensure that they are aware of the latest threats and how to avoid them.
Need for a comprehensive incident response plan. Despite best efforts, breaches can still occur. Therefore, it is essential to have a comprehensive incident response plan in place to minimize the impact of a breach. The plan should be regularly tested and updated to ensure that it remains effective.
Claire Meyer is managing editor of Security Management. Connect with her on LinkedIn or email her directly at [email protected].