Ft

How much cybersecurity expertise do boards actually have?

Photo of Eleon EleonSeptember 25, 2023
212 4 minutes read

How much cybersecurity expertise do boards actually have?


The number of directors at S&P 500 companies with cybersecurity experience has increased sharply since last year. But the number of cybersecurity experts on corporate boards remains relatively low, at a time when corporate boards are facing increased scrutiny due to security breaches.

As of August 31, 107 directors at 113 companies had professional cybersecurity experience, according to a study by WSJ Pro Research. Together, these directors held a total of 124 S&P 500 board seats and represented 2.3% of the directors serving on the boards of companies in the index. This same research conducted last November found that 86 directors from 91 companies held 100 board seats.

This increase is likely primarily due to companies’ growing awareness that cybersecurity is central to their long-term business performance, says Jamil Farshchi, chief information security officer at Equifax and board director of Equifax. the software company UKG. Cybercrime represents a significant and growing risk for businesses, threatening to disrupt their operations, tarnish their reputations and expose them to legal action and sometimes regulatory sanctions if they fail to protect their data.

Additional incentive to add board members with cybersecurity experience could come from a Securities and Exchange Commission rule adopted in July aimed at improving board oversight of cybersecurity risks.

Perception versus reality

The relatively low level of cybersecurity experience among directors found in our latest research contrasts with the results of a survey conducted by WSJ Pro Research and the National Association of Corporate Administrators earlier this year. In responses to this survey of 472 corporate board directors, 76% said their board had at least one cybersecurity expert, including 19% who said their board had at least three directors with expertise in cybersecurity.

This contrast suggests that some directors may overestimate the cybersecurity expertise of board members who do not have professional experience in the field. Farshchi says having someone on the board with at least some knowledge of technology is a big step forward, but if the goal is to truly provide effective cybersecurity oversight, a Administrator needs related work experience.

He does not believe that companies can claim to effectively supervise cybersecurity risks without a director with specific expertise in this area. “They can make this claim, but – barring exceptional circumstances – not in a credible way,” he says. “This would be the equivalent of a board of directors composed exclusively of CISOs claiming to be able to ensure effective oversight of financial risks. It’s possible, but unlikely.

Of the 107 directors in our latest research who have such expertise, 82 have experience in a management role, including eight as chief information security officers and 68 as chief information officers. The other 25 directors’ experience comes from either having held a high-level government position in cybersecurity or having led and/or founded a cybersecurity company. The research analyzed data from FactSet, publicly available biographies and social media.

More than half of the directors with cybersecurity experience in our study were on the boards of financial services and information technology companies. About a quarter of them sat on the boards of industrial and health care companies.

Most industries added directors with cybersecurity experience, although the healthcare and communications services industries remained at previous levels and the real estate industry lost all of its cyber directors. Of the four real estate directors with cybersecurity experience we found in 2022, two have left their boards and two are no longer qualified for our research due to the length of time since they held a cybersecurity-focused role. cybersecurity.

No experience necessary?

Not everyone believes that every company’s board of directors needs a director with cybersecurity experience. “Board seats are a limited resource and it is impractical to hire a director for each specialty,” says Shamla Naidoo, head of cloud strategy at cybersecurity firm Netskope and former CISO of International Business Machines. “Risk governance in the cyber domain is not fundamentally different from risk management in any other domain. »

Additionally, Naidoo says that even when a breach prompts a board to improve its ability to manage cybersecurity risks, hiring a single cybersecurity specialist to serve on the board is not necessarily the best approach. “It’s not a scalable or thoughtful way to address the new risks businesses face,” she says. Instead, she calls for “a cyber-responsive board staffed with many competent directors.”

Naidoo co-authored a free e-book for board directors called The Cyber ​​Savvy Conference Room: The Essentials Explainedavailable here.

Regardless of the makeup of a board, most directors don’t have much confidence in their board’s ability to handle a cybersecurity incident. While about three-quarters of directors responding to the WSJ Pro/National Association of Corporate Administrators survey said their board had at least one cybersecurity expert, only 30% rated their board’s capability to oversee a cybersecurity crisis as “expert” or “advanced.” .” This suggests that most companies are still likely to make mistakes in response to breaches, mistakes that will raise questions about board performance, especially if the board does not include someone with cybersecurity experience .

Cyber ​​experience Profiles

Individual directors fell broadly into three categories:

  • Information Technology/Information Security Professional Role: Eighty-two directors have direct professional experience in information security, information technology, or other applicable roles. For example, Shankar Arumugavelu, head of Seagate Technology Holdings, serves as senior vice president and global CIO at Verizon.
  • Cybersecurity company manager: Nineteen executives founded and/or led cybersecurity or data security companies. For example, Nir Zuk, director of Palo Alto Networks, co-founded the company and was co-founder and chief technology officer of intrusion prevention company OneSecure, now a subsidiary of Juniper Networks, where Zuk became a security technologist. Security Chief.
  • Government or military role in cybersecurity: Six directors were previously senior government or military officials. For example, Huntington Bancshares Inc. Director John Chris Inglis joined the board in May 2023 after serving as U.S. National Cybersecurity Director and in the Office of the National Cybersecurity Director. Inglis also served 28 years at the National…


Wj

Tags
Photo of Eleon EleonSeptember 25, 2023
212 4 minutes read
Photo of Eleon

Eleon

With a penchant for words, Eleon Smith began writing at an early age. As editor-in-chief of his high school newspaper, he honed his skills telling impactful stories. Smith went on to study journalism at Columbia University, where he graduated top of his class. After interning at the New York Times, Smith landed a role as a news writer. Over the past decade, he has covered major events like presidential elections and natural disasters. His ability to craft compelling narratives that capture the human experience has earned him acclaim. Though writing is his passion, Eleon also enjoys hiking, cooking and reading historical fiction in his free time. With an eye for detail and knack for storytelling, he continues making his mark at the forefront of journalism.
Check Also
Close
© Copyright 2024, All Rights Reserved  |  mix9p
Back to top button