How much cybersecurity expertise does a board need?

Reporting regulations across the world are shifting and increasing the focus on the board of directors and their knowledge to deal with and respond to cybersecurity threats. To meet such regulations and improve the board’s expertise, organizations should look to recruit board directors with relevant cybersecurity and risk management experience or train existing directors.

With the financial fallout from security incidents at MGM and Clorox drawing significant attention to the bottom-line impacts wrought by cybersecurity threats, board of director awareness for cybersecurity incidents is at a fever pitch. Meantime, new regulations from the US Security Exchange Commission (SEC) on disclosure are expected to thrust many more of these incidents into the headlines–by forcing public companies to become much more transparent about security incidents when they arise.

The question is how many boards are equipped with sufficient cybersecurity expertise to help their organizations navigate all of this?

A growing cohort of experts say not nearly enough. This cross-section of corporate governance experts and cybersecurity pundits believe that corporate boards are going to need to adjust their board composition and director education to appropriately match the current risk and regulatory reporting environment. “When you look at the composition of board members at many organizations, they don’t have sufficient risk expertise–I think that’s both cyber and broader enterprise risk,” says James Lam, president of James Lam & Associates, a board advisory and consulting firm, and a veteran risk management expert and corporate director. “When you look at the skills matrix that companies disclose on their prospectus, very often they check off risk. But when you look deeper into the background, it’s really not there to the level of depth that they need.”

This lack of depth in cyber expertise impedes directors from meaningfully leading discussions about their organization’s risk-related decisions, and it ultimately impacts risk governance and accountability.

The measures each company should ideally take to bolster cyber expertise on the board will depend on the business, its goals, and risk appetite. To move the needle on this board knowledge gap, some of the most likely strategies include recruiting directors with relevant professional experience in cybersecurity risk management, forming tech and cybersecurity committees on the board, strengthening the education of sitting directors in business-relevant cybersecurity principles, and improving communication pathways with CISOs and chief risk officers.

Statistics prove out a lack of board-level cyber expertise

Over the last several years corporate CISOs have been called out and challenged by the business community to level up their communication skills. The call to action for security leaders has been to better communicate risk in the context and language of business goals. While not perfect, as a class CISOs are rising to this challenge and improving the narrative and the metrics with which they communicate. But CISOs can’t do all of the work themselves. Directors need to meet them in the middle with enough baseline knowledge to effectively receive those reports from CISOs, analyze them, and hold security management accountable.

“You don’t have to be a technical expert, but you have to be able to ask the right questions. You have to ask the tough questions, and you have to hold the management accountable for results,” explains Lam. “And then you have to know what kind of results you are looking for. And then you have to ask for the right metrics, the right risk appetite, and the right reporting.”

Unfortunately, the statistics indicate that today’s boards simply don’t have the depth of cybersecurity knowledge to appropriately ask and receive the right answers from security leadership. A study from NightDragon and Diligent shows that 88% of S&P 500 companies have boards without a single cybersecurity expert as a director. That corroborates an earlier analysis by WSJ Pro Research in 2022 of the professional backgrounds of 4,621 board directors representing S&P 500 companies that showed just 86 of them had relevant professional experience in cybersecurity within the last decade.

This dearth in director experience stands as a detriment to how the board makes business and technology decisions, says Bob Ackerman, managing director and founder of Allegis Cyber Capital. “We need to develop better cyber expertise at the board level because cyber is tied up with systemic risk to the enterprise,” Ackerman says. “Technology is the substrate upon which cybersecurity risk rides on. Directors need to understand enough to think about cyber risk as they’re making other business decisions.”

Companies are realizing the importance of cybersecurity knowledge in boards

SEC regulators seemingly agreed there’s a need for corporate boards to improve oversight by attracting more directors who have deep subject matter expertise in cybersecurity. Prior to locking in its expansive new cybersecurity reporting requirements, the SEC had provisionally included language that would require public companies to disclose detailed information about the type of cybersecurity expertise held by board directors. That requirement was deleted at the eleventh hour.

Many in the security and governance communities believe this was a missed opportunity to have regulators accelerate changes at the board level. Though some say it’s understandable why this requirement was omitted this time around.

“I was a little disappointed that the SEC pulled back on requiring that this expertise be in the boardroom,” says Tia Hopkins, chief cyber resilience officer and field CTO for eSentire and a boardroom-certified Qualified Technology Expert (QTE). “But when I kind of take a step back and think about what the SEC is trying to do in a broad sense, some publicly traded companies are really small and have really small boards, and they have a lot of things that the business needs to think about. So, to require that they dedicate one of these already very limited number of board seats to someone with cybersecurity expertise is a tall order for an organization like that.”

While Ackerman says the SEC omission was a mistake, he concedes that there are not enough veteran CISOs and cybersecurity risk experts with well-rounded business expertise to capably fill out seats across hundreds of public companies. “And I think having an experienced cybersecurity professional on the board who also can contribute as a board member would be ideal,” he tells CSO. “But these kinds of CISOs are unicorns. I don’t think you’re going to be able to satisfy it with just CISOs. Because there are a lot of CISOs that are frankly not going to make the cut for a public board.”

Nevertheless, companies can’t take SEC’s easing up on the gas pedal as an invitation to ignore cyber expertise at the board level, says Bob Zukis, a professor at USC Marshall School of Business and CEO of Digital Directors Network (DDN), which helps companies improve digital and cyber risk governance through training of digital, cybersecurity leaders, and board directors. As he explains, improving the technical and cyber acumen of the board is table stakes in the era of digital transformation.

“It’s common sense. We shouldn’t even be having this debate, quite frankly,” Zukis tells CSO. “But cybersecurity is only one critical competency of many that boards need on these issues. We need people who understand data information architecture, the regulatory environment, the risk communication environment, and the emerging technologies that are creating value. It’s a critical mass of three or four directors. That depth and breadth of expertise across the critical complex digital system. It’s not just a cyber discussion.”

While the movement has still yet to gain critical mass, Zukis says that leading boards are not waiting for regulatory rules to push them into recruiting and educating directors with more cyber acumen. “They’re already doing this; they’re already building this expertise. Look at the General Motors board, which discloses that five of their directors have cybersecurity skills and competencies,” Zukis says. “They don’t say they’re all experts, but they’ve got some experience.”

In the same vein, several major companies have elected new directors with cyber expertise in 2023. At the beginning of the year Zoom brought on Cindy Hoots, who serves as CIO and chief digital officer for AstraZeneca, Nordstrom appointed Atticus Tysen, who serves as chief information security and fraud prevention officer for Intuit, and Astra Space appointed Julie Cullivan, who has had a string of executive positions at cyber companies like FireEye, Forescout, and McAfee, among others. Meantime, this spring Visa brought on Imperva CEO Pam Murphy to serve as a director on its board.

How boards can incrementally build up cybersecurity knowledge

For companies who have still not yet built up the cybersecurity expertise among its directors and reporting committees, there’s work to do, says Lam, who explains there are a number of ways to build up that “cyber-IQ”.

“One is you should get the right board talent in terms of risk and cyber expertise that’s appropriate to their risk profiles,” says Lam, who explains that companies leery of using up a hotly contested director seat for a cyber specialist simply need to broaden their recruitment parameters. For example, he’s been recruited as a corporate director because he brings both cyber and general enterprise risk management expertise to the table. Another colleague on one of his boards was retained because she was the CIO of a large financial organization and had not only cybersecurity but a suite of other technical capabilities. “She had cybersecurity, she had IT, and she had digital business experience. That was all very valuable.”

As organizations slowly morph their board composition, they also need to be careful to not get into a situation where one director is solely responsible for cybersecurity oversight and no one else minds that area of risk, warns Chenxi Wang, a longtime cybersecurity expert and venture capitalist who also serves on the board of directors for MDU Resources Group, a US-based energy and construction materials firm. She says the right approach is to mirror the way a healthy board approaches financial oversight.

“We have a financial expert on the board, but everybody’s responsible for financial. We have to educate the rest of the board,” Wang tells CSO. She explains that in her current role as a director, she’s the most experienced cybersecurity expert who acts as an internal champion and mentor to level up her fellow directors’ cybersecurity oversights. “Through my questioning, through my communication, the rest of the board gets exposed to the right ways of looking at the security program, how you ask questions, and the type of metrics that you want to see.”

Lam seconds Wang’s belief that a board can’t rely on a single director’s expertise. In addition to leaning on an internal board champion, he also recommends that board members–especially chairs of relevant committees like audit or risk committees–should be seeking out formalized training and certification for cyber governance. This training could come from DDN, the National Association of Corporate Directors (NACD) or numerous extension programs from universities around the world.

Of course, the risk there is not using that training as a stand-in for recruiting deep expertise among one or more directors in the long run, says Barbara Shurtleff, a fractional CISO, QTE certified, and member of the leadership committee for 50/50 Women on Boards, a non-profit aimed to bring gender balance and diversity to corporate boards.

“There’s been an explosive offering of cyber governance training in recent years. While that is a great step in the right direction, a lot of them vary as far as the quality of content goes,” Shurtleff tells CSO. “You can’t substitute somebody’s cyber experience and knowledge from a lifetime of professional experience into a two-week course. So, sending board directors to this type of training and saying they’re experts can be misleading.”

According to Zukis, besides recruiting directors with cybersecurity experience, corporate boards can also strengthen their cybersecurity oversight by adding more relevant committee oversight. Today the board committee most likely to oversee cybersecurity is the audit committee. Zukis warns that this can limit the depth of visibility and oversight because not only does this committee have a lot of other financial matters to oversee but it is also most likely to be led by those with deep financial backgrounds and very little cybersecurity knowledge. His recommendation is that more boards start up a technology and cybersecurity committee.

“With a tech and cyber committee we bring together a critical mass of digitally savvy directors to the table and we transform the way they understand risk, disclose risk, and disclose incidents,” he says, explaining that leading companies like FedEx set up committee oversight in this way. “This way you consider risk alongside the impact of the great innovations.”

Finally, as a formal tech and cyber committee is not yet on the docket, Lam suggests that boards utilize working groups to improve cybersecurity visibility and collaboration with CISOs and other security stakeholders in the organization.

“In a working group you have a couple of board members and you have a couple of executives–they’re small groups that pull up their sleeves with constructive dialogue and no minutes,” he says, explaining that a working group is usually formed ad hoc to solve a specific problem. For instance, it could be formed to improve quarterly or monthly cybersecurity reporting standards from management to the board. “Once you solve the problem, you dissolve the working group and integrate the work into an audit or risk committee.”