The Critical Role of CISOs in Cybersecurity Governance
Aleksandr Zhuk CISO at SFOX, Professor of Cybersecurity at Yeshiva University
Twenty years ago, the governance of the US corporations was transformed by the Sarbanes-Oxley Act (SOX), which required the corporate boards to have financial experts among its members. Today, it is hard to imagine an organization’s governance body lacking this essential experience. On the other hand, as data and digital assets are now at the core of value creation for most modern business, the need for robust cybersecurity governance has never been more critical. A year ago, to protect the interests of business and public stakeholders, the Securities and Exchange Commission (SEC) set out to transform the boardrooms again. In the proposed “Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies” ruling, the SEC mandated “Periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk.” The SEC ruling recognizes and emphasizes that the corporate boards bear ultimate responsibility for governing cyber risk.
This year, the proposed ruling gained additional support in the SEC’s ongoing efforts to develop a robust regulatory cyber risk governance framework. The proposed rules highlight the growing importance of cybersecurity in corporate governance and the recognition of the Chief Information Security Officer's (CISO) crucial role in managing cyber risk. As the most senior cybersecurity practitioners in the organization, the regulators and the boards now expect the CISOs to take on the additional leadership responsibilities to manage periodic regulatory disclosure and continuously engage with their board of directors to provide the necessary education and expertise. State-level regulations, such as the New York State’s “Cybersecurity Requirements for Financial Services Companies” or DFS-500, as it is known in the industry, have further underscored the critical cybersecurity governance role that the CISOs play.
Cyber Risk Governance and Board Transformation
The journey of transforming the boards into savvy cyber risk governance bodies is still under way and it is not without challenges. First, there is the basic communication problem commonly observed between the boards and the organization’s cybersecurity leaders. A recent Harvard Business Review article observed that although 47% of the board members surveyed believe that their organization is unprepared for a cyberattack, only “about one third say that they interact with the CISO only when he/she is presenting to the board.” There is clearly room for improvement. Compliance with the new regulations and effective cyber risk governance will require ongoing communication between the boards and the CISOs.
The cyber risk governance challenges that the boards are facing are further compounded by the ongoing severe shortage of expert cybersecurity practitioners. Cybersecurity competence in the ranks of corporate boards is still relatively rare. Leading organizations including FedEx, Hasbro, PNC, and UPS have already recognized the value of having deep cybersecurity competencies on their boards, enabling better governance of cyber risk. Others must find ways to identify, recruit, and retain qualified cybersecurity talent. Amidst the talent shortage, the proposed SEC ruling sets relatively high standards for what qualifies as cybersecurity expertise including practical experience, education, and professional certifications—leaving little room for ambiguity. With the in-house cybersecurity leadership being the first logical choice, the boards now must find ways to augment available resources, as may be necessary to assure compliance.
A recent Forbes article suggested that to expedite and promote the ongoing cyber risk governance transformation, the corporate boards should actively engage with their organization’s technology and cybersecurity leaders to:
Stay updated with the latest developments in the cybersecurity space.
Understand the new SEC and investor community expectations and the required regulatory oversight support.
Educate the board on the latest trends, cyber risk factors, and their responsibilities as board members.
Consider engaging experts to support the board in their cyber risk oversight responsibilities.
Ensure the board is prepared to ask the right questions of management regarding business strategy, financial planning, and capital allocations in the cyber area.
Review board materials and presentations to ensure the correct documents are in place.
Emphasize the importance of technology safety as a critical driver in addition to cost, capability, performance, and speed to market.
The Role of the CISO in Board-Level Cybersecurity Governance
More than ever, the CISOs play a crucial role in ensuring the board is well-informed and actively involved in cybersecurity governance. They are responsible for:
Educating the board on cybersecurity risks and incidents: CISOs must provide the board with accurate and timely information on cyber risks, incidents, and their potential impact on the organization. This enables the board to make informed decisions and prioritize cybersecurity investments.
Developing and implementing cybersecurity policies and procedures: CISOs are responsible for creating and enforcing robust cybersecurity policies and procedures that align with the organization's risk appetite and comply with applicable regulations.
Communicating the organization's cybersecurity posture: CISOs must keep the board informed about the organization's cybersecurity posture, including its strengths, weaknesses, and progress toward achieving its cybersecurity goals.
Engaging with regulators and stakeholders: CISOs should actively engage with regulators, industry groups, and other stakeholders to stay up-to-date on best practices and emerging threats. This helps ensure the organization remains compliant with regulatory requirements and is prepared to address new cybersecurity challenges.
Conclusion
The new SEC regulations require public companies to disclose their cybersecurity incidents, risk management strategies, and governance policies. The regulations highlight the increasing importance of cybersecurity in corporate governance and recognize the vital role of CISOs in managing cyber risk. The regulations will promote better communication between the boards and information security leaders and require a more bidirectional approach in cyber risk reporting and business resilience planning.
To comply with the rules, businesses must perform cyber risk assessments and develop and implement cybersecurity policies. CISOs can leverage the regulations to elevate their role and influence in the organization by using performance management tools to measure, monitor, and communicate their cybersecurity performance indicators. The new regulations pose challenges and opportunities for CISOs, and they can comply with the regulations and enhance their credibility and visibility as leaders and partners in the organization.
Overall, the new SEC regulations are a significant step towards strengthening cybersecurity in corporate governance and increasing transparency in public companies. Cybersecurity Performance Management (CPM) platforms will be increasingly important to provide actionable insights for CISOs and to effectively communicate the current state of cybersecurity to the board.