Does Your Board of Directors Know Cybersecurity?

There is a skills crisis in today’s executive suites. Boards of the future need to evolve to include cybersecurity expertise.

By Kevin Simzer, Chief Operating Officer at Trend Micro

Managing risk is one of the most critical tasks for the board of directors at any organization. Enterprises face business risk, legal risk, reputation risk, safety risk – the list goes on. But one element can significantly impact all of these: cyber risk.

The evolution of cyber risk

Cyber risk involves a myriad of internal and external factors. Threats to digital assets, infrastructure, and data can also seriously affect revenue, brand reputation, and business stability. A security breach in the United States costs nearly $10 million on average, and this average is growing every year.

As the modern business landscape evolves, cybersecurity is emerging as the most universal and significant risk that organizations of all sizes face. Cyber threats are growing in frequency and complexity, and the financial impacts are worsening. And as the generative AI boom continues, each of these factors will be exacerbated. Further complicating things, the pressure has been on for chief information security officers (CISOs) and their boardroom counterparts to better address this risk since the SEC announced their upcoming cyber disclosure laws in 2023.

Despite this unique and difficult array of challenges, the board of directors at many large organizations still lacks cybersecurity expertise.

2024 will mark a new era in the cybersecurity arms race, highlighting this critical issue. A CISO cannot improve an organization’s cyber resilience alone. CISOs are experts at understanding and managing cybersecurity risks but are often unable to effectively demonstrate the importance of these issues to other executives. This type of board composition – where one person is at odds with others due to a gap in knowledge or understanding of risk – inherently limits an organization’s ability to reduce cyber risk.

Understanding and managing risk

If CISOs are to successfully engage with others in the C-suite to make meaningful changes to their organization’s approach to risk, It’s important to not focus only on cyber risk, but to responsibly consider it as a key part of an organization’s overall business strategy. Boards must ensure that cybersecurity investments and initiatives support the achievement of strategic goals while mitigating risks that could hinder business performance or growth.

A CISO or other expert can help the board with this process through a simple risk assessment score mentality: how prepared is the organization, what are the risks, and how can they be mitigated? With the new SEC disclosure requirements, failing to answer these questions is also coming at a greater cost. Executives at publicly traded companies have been found criminally liable in recent years for not properly disclosing breaches.

Improving cybersecurity risk management and awareness across an entire organization also requires a cultural shift that makes security everyone's responsibility – but this must start in the boardroom. Leadership must demonstrate the value of a proactive security approach. This includes continuous security monitoring as well as regular reviews of cyber risk, incident response capabilities, and progress towards security objectives. By maintaining visibility of these elements, CISOs can effectively understand the organization's security posture and enable the board to make informed decisions.

Moving forward

Executives at organizations of all sizes and in all industries must adopt a forward-thinking approach to cybersecurity that makes it a key piece of overall risk management and business strategy, anticipates future trends and challenges, and promotes a culture of proactive security. Customers, partners, and investors are watching cybersecurity more closely now – and the new SEC rules are making this even more important. It will be critical for boards of the future to evolve to include cybersecurity expertise in order to be competitive on the market. By looking ahead and ensuring that they have the proper expertise in their suite, boards can fulfill their oversight responsibilities, build public trust, and protect the organization against ever-evolving cyber threats.

Addressing the cyber skills crisis on boards and prioritizing cybersecurity expertise is not only a necessity but a strategic advantage in modern business. A collective effort is needed from organizational leaders, industry experts, and potentially policymakers to drive this essential transformation.

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.