Boards of directors still lack cybersecurity expertise

Boards of directors still lack cybersecurity expertise


Few directors of the largest U.S.-listed companies have direct experience with cybersecurity, presenting a challenge to how executives manage cyberattacks.

An analysis of the board composition of S&P 500 companies found that 88% have no cybersecurity experts as directors. According to the study, only seven companies had a current or former chief information security officer on their board of directors, and in two cases it was the same person.

“This lack of momentum on the board continues to surprise me,” said Dave DeWalt, founder and managing director of venture capital firm NightDragon, who also serves on the boards of Delta Air Lines and from software company Five9..

NightDragon and the Diligent Institute, the research and think tank of executive software developer Diligent, conducted the study released Thursday.

Cyber ​​expertise was broadly defined as individuals who currently hold or have held CISO positions; those who have held high-level technology positions, but not necessarily cyber roles; and those who had technology experience without having held management positions.

About 52% of companies had an administrator with some technology experience adjacent to cybersecurity. This includes individuals who serve on the boards of directors of cyber companies or who are affiliated with a professional organization related to cybersecurity.

Board cyber certifications are now crucial for good governance, said Emily Heath, general partner at venture capital firm Cyberstarts. Heath, former head of security at United Airlines and DocuSign technology provider,

sits on the boards of directors of the cyber companies Wiz and Gen Digital.

Administrators, in their oversight role, are responsible for ensuring that risks are properly managed, including cyber risks, Heath said. “You need to have cybersecurity knowledge and expertise to know what questions to ask,” she said.

The results of the Diligent/NightDragon study largely mirror similar research conducted by the Wall Street Journal in November 2022. That analysis found that only 86 of 4,621 directors of S&P 500 companies had relevant cybersecurity experience during of the period. the last 10 years.

Proposed rules from the U.S. Securities and Exchange Commission would have required companies to disclose which board members had cybersecurity experience, although that provision was removed from the final rules that took effect September 5 .

Myrna Soto, founder and managing director of the consulting firm Apogee Executive Advisors.


Patrick T. Fallon/Bloomberg News

Directors say it is often difficult to find the right candidates for a board position. Cybersecurity is a highly technical field in which leaders have only recently been elevated to senior management level. Working on a board of directors requires extensive business experience that many security executives lack, said Myrna Soto, founder and chief executive of the consultancy.

Apogee Executive Advisors.

Soto, who is also a director of Spirit Airlines,

popular banking group, and payroll and benefits administrator TriNet Group,

said boards typically discuss cybersecurity issues for a limited time during their meetings. Other issues require their attention, and any cyber expert must be able to justify their place by being able to contribute to these discussions.

“It is extremely important that the candidates who will be on the list to bring this type of expertise to the board are very experienced business leaders,” she said.

Solving this problem will require effort from boards and cybersecurity professionals, said NightDragon’s DeWalt. Security leaders need to expand their overall business knowledge, companies need to elevate the CISO role to a true leadership position, and boards of directors need to be better informed on cybersecurity issues.

“I really want to see a requirement for continuing education in cyber literacy in boardrooms,” he said.

Write to James Rundle at james.rundle@wsj.com

Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8



With a penchant for words, Eleon Smith began writing at an early age. As editor-in-chief of his high school newspaper, he honed his skills telling impactful stories. Smith went on to study journalism at Columbia University, where he graduated top of his class. After interning at the New York Times, Smith landed a role as a news writer. Over the past decade, he has covered major events like presidential elections and natural disasters. His ability to craft compelling narratives that capture the human experience has earned him acclaim. Though writing is his passion, Eleon also enjoys hiking, cooking and reading historical fiction in his free time. With an eye for detail and knack for storytelling, he continues making his mark at the forefront of journalism.
Back to top button