Expanding the Role of CISOs on Boards

The Securities and Exchange Commission has found serious shortcomings in how public companies are addressing cybersecurity and risk assessment, with new rules expected to be announced by the end of the year. As a result, new board opportunities are opening up for chief information security officers.

November 21, 2022 – Not since 2002 and the passing of the massively consequential Sarbanes-Oxley Act, when the Security and Exchange Commission (SEC) required America’s boards of directors to appoint chief financial officers and form audit committees, has there been such a critical impending change to board skill-sets and reporting. The SEC has once again identified a serious gap in board expertise, governance, planning, accountability, public disclosure and response – this time in the areas of cybersecurity and risk assessment – and is making regulations to address them. The changes are expected to be finalized by the end of the year.

The SEC’s proposed amendment requires boards to begin reporting about material incidents and providing updates; initiating and reporting on policies and procedures to identify and manage those risks; reporting on their impact to the bottom line; reporting their resolution; and notifying investors about those incidents. Thus far, the SEC has only talked about the specific outcomes they want to see implemented and not provided specifics about how companies can best satisfy the new requirements.

DHR Global has been actively focusing on what the right cybersecurity expertise encompasses at the board level, how it will dovetail with other board positions such as the chief information officer, and is recommending its clients get ahead of the new rules by recruiting highly qualified chief information security officers (CISO) to take their seats at the table as board directors.

“Thanks to the SEC’s new cybersecurity requirements and the growing threats evolving from digital technology and the use cases and business models they enable, there is a huge opportunity for CISOs to broaden their roles into the boardroom,” says the search firm in a new report.

The Ideal CISO Board Member

According to DHR’s proprietary research, to date, only seven of the 500 largest public companies in the U.S. have an experienced CISO currently sitting on their corporate board of directors.

“Among our clients we are increasingly seeing that cybersecurity is becoming a new agenda item at every board meeting,” said Heather Smith, partner in the board and CEO practice at DHR. “Our research shows that the vast majority of boards do not have a CISO among them. As such, non-technical board members are called on to provide guidance on cybersecurity risk. It’s becoming apparent that there is a specific cybersecurity skill-set that we are recruiting for to meet both the current need and the impending SEC requirement.”

“The ideal board CISO provides a competitive advantage and brings relevant, recent experience from the last two years, has a long lens when it comes to the latest cyber vulnerabilities and a strategic, proactive outlook, and is able to communicate effectively regarding what risk management entails at the board level,” said DHR’s Kathryn Ullrich, managing partner in the advanced technology practice. “They understand IT security but also the company’s strategy and how IT should support that strategy.”

Related: Cybersecurity is the No. 1 Risk Leaders Can’t Ignore

What has caused this massive threat and critical omission at the board level? Digital technologies and their impact on the modernization of networks and infrastructures are at the heart of the issue, according to DHR. “Already in play, these changes have been sped up out of necessity by business closures and remote workers due to COVID, workplace re-openings, and a newly hybrid workforce, supply chain disruptions, applications and operations moving to the cloud, a slew of new internet of things devices and multi-domain networks in which operations technology  and information technology networks are merging – all have meant that there are many new and ever-evolving avenues for hackers to take into the heart of economies, businesses and everyday life,” said the report. According to the World Economic Forum, 70 percent of economic growth is now being driven by digital technologies.

Threats in Many Forms

The numbers, says DHR, are startling: Cyber-attackers can breach 93 percent of company networks, according to new research from Positive Technologies; cyberattacks in 2021 increased by 50 percent when compared to 2020, as reported by cybersecurity firm Check Point; cybercrime cost U.S. businesses more than $6.9 billion in 2021, the FBI told Newsweek in March 2022; and 29 percent of CEOs and CISOs and 40 percent of chief security officers admit their organizations are unprepared for a rapidly changing threat landscape, reports Thought Lab from their 2022 cybersecurity study.

The Evolving Role of CISOs
Competition for top chief information security officers is growing fierce as companies seek to protect themselves from potentially crippling cyberattacks. Newly released compensation data from IANS Research and Artico Search shows how this role continues to transform and mature. Let’s take a closer look!

“Today’s cybersecurity threat takes many forms and can vary by industry,” said the DHR study. “Among this year’s top issues according to CSO Magazine: ransomware, cryptomining/cryptojacking, deep fakes, video conferencing attacks, XDR (extended detection and response across endpoints, email, identity and access management, network management and cloud security), operational attacks against IoT and OT, and supply chain attacks such as the recent Solar Winds breach.”

In its study, DHR points to a wide range of potential targets:

  • Education: Outdated technology, massive stores of data and hybrid campuses are putting education at risk. Data breaches, phishing and ransomware are the top methods for attack here.
  • Healthcare: In healthcare, it is the vast number of new medical and IoT devices now on the network that are most at risk with hackers targeting patient care devices and causing distributed denial of service attacks demanding ransom and holding hospitals hostage.
  • Manufacturing: In manufacturing, as multiple OT, IT, and cloud networks connect for the first time, the lack of end-to-end security is causing issues as new, wireless endpoints and legacy systems suffer from weak encryption impacting production and distribution.
  • Energy: In energy, it is inefficiencies in identity and access management and a lack of system integration that causes vulnerabilities in the supply chain.
  • Financial Services: Financial services continue to be threatened by data breaches from ransomware, phishing, web application and vulnerability exploitation and denial of service attacks.

A former CISO at General Motors and Visa, and current advisor to CISOs and companies on how to effectively present to the board, James Christiansen has raised another issue beyond the lack of cybersecurity expertise. “Today’s guidance from the National Association of Corporate Directors about what the board should be asking falls short of the practical because it doesn’t provide knowledge of how to interpret the answers given to those questions,” he said, as cited in the DHR report. “You have to watch for executives providing overly rosy pictures of the state of cyber readiness from dashboards that provide numbers but little understanding of the actual risk and how to address it.”

Meredith Griffanti is a senior managing director and co-leads FTI’s cybersecurity and data privacy communications team, one of the largest crisis communications practices focused specifically on cybersecurity. FTI has advised hundreds of companies including financial services firms, critical infrastructure operators, leading technology providers, hospitals, schools and the government on cyber incident response and preparedness. FTI’s recent research found that 82 percent of surveyed CISOs claim that they feel pressure to present a positive, ‘everything is covered’ picture to the board. “In today’s dynamic and fast-moving cyber threat landscape, it is essential for both risks and investment needs to be effectively communicated to the leadership and board of every company,” Ms. Griffanti told DHR. “Without a clear understanding at the highest levels of an organization’s cyber risk profile, companies will be left vulnerable to cyberattacks of all kind.”

Andre Mintz, a 30-year veteran building and leading information security programs at global scale at companies such as Meta, financial services Newport Group, Red Ventures, Reuters, Microsoft and Kinko’s, was placed by Kathryn Ullrich as CISO on the board of Absolute Software, an endpoint resilience solutions provider embedded in over half a billion devices. “My job as an integral part of the board is to participate not only at ‘report outs’ when cybersecurity comes up, but to be part of all the board’s discussion around business strategy, vision, direction so that I can clear a path and future proof or get ahead of where a company is going as it enters new markets or encounters threats,” he told DHR. “I want to ensure the right controls, certifications and processes are in place well before it is necessary so that the company doesn’t have to slow its progress and can remain agile no matter what the business encounters.”

Related: The Hunt for Cyber Technology Leaders Heats Up as Risks Multiply

Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; and Stephen Sawicki, Managing Editor – Hunt Scanlon Media

Share This Article


Notify of
Inline Feedbacks
View all comments