Cybersecurity Is Just Too Serious For Boards to be So Clueless!
Wayne Sadin
CIO of PriceSmart, the only operator of membership warehouse clubs in Central America, the Caribbean, and Colombia
I just read Grading Global Boards of Directors on Cybersecurity, published by The Harvard Law School Forum on Corporate Governance and Financial Regulation, and I'm appalled by the findings laid out in the article and in the underlying Nasdaq/Tanium report THE ACCOUNTABILITY GAP: CYBERSECURITY & BUILDING A CULTURE OF RESPONSIBILITY
According to the report, the level of 'cyber literacy' was shockingly low: in the US, 59% of Directors, 77% of C-Suite, and 78% of CIOs 'indicated that they were cyber literate' (in some other parts of the world the numbers were far lower). As far as I could tell from reading the report cover to cover, these findings were obtained by asking rather than by testing knowledge. Do I even have to say 'Dunning-Kruger Effect' to make it clear how exaggerated the numbers might be?
Maybe I'm being too kind, but I can excuse 23% of the C-Suite for not feeling cyber literate. After all, they do interact regularly with the CIO and so rely on their 'IT guru' to guide them. And I don't know WHAT to say about the 22% of CIOs who don't feel cyber literate! (I know just what to say to their CEO's, though: 'organizations get the IT they settle for.')
It's the of 41% of Directors considering themselves 'cyber-illiterate' who are my focus here. Boards occupy a unique and vital position in corporate governance: they are proxies for the investors who entrusted their capital to a firm, and thus accountable for asking the right questions and understanding the answers to those questions. There's a great quote--attributed to Kris McConkey of PwC-- in the report:
"It’s knowing which questions to ask, but it’s also knowing what evidence looks like. It’s not even just being able to interpret the information, because a lot of that would be technical, but also being able to demand proof that somebody can stand by their answers."
These low levels of awareness and understanding by Directors is appalling in light of the ever-increasing pervasiveness of technology in products, processes, and throughout the operations of modern organizations.
While I agree with much of the Harvard Law School article, The authors state that what's needed to help Boards provide better cybersecurity governance is organizational adoption of the NIST cybersecurity framework.
I disagree: not with the value of the framework, but with its effect on Board governance. The 'adoption' of a framework will do very little to actually increase the skills and interest levels of Board members. I've been CIO at organizations that 'adopted' the COBIT framework, among others. What I saw was real knowledge being acquired by the functional specialists (who already had a very high level of awareness and interest in the subject) and lots of internal 'marketing' of watered-down concepts by the training/compliance folks (that's not a dig at training and compliance folks. There are so many things about which employees need training and limited time/money budgets for serious training). Everyone took the required 15-minute video class, compliance was attested to, and life went on as before.
What's needed is the election of Digital Directors to Boards: seasoned business executives who have significant experience as CIOs (or CTOs and CDOs). The best 21st-century CIOs have spent years mastering technical issues (78% of them have, anyway) and almost as many years interacting with Boards, C-Suite peers, and even customers. These executives think in business terms first, and about technology as it relates to business--just like a good CFO thinks about business first and about FASB/IASB/SEC/IRS only in the business context. What Board members may not realize is that IT is one of two departments that see the entire 'order-to-cash' process/data flow from one side of the organization to the other, from organizational silo to organizational silo, and beyond (suppliers, bankers, partners, customers, etc.). This means a CIO has a good knowledge of just about every business process without having a special allegiance to any one organizational silo: that adds value as a Director over and above technical expertise.
Some Boards elect a technology-sector CEO or CFO and feel that provides the proper degree of cyber literacy. Maybe, maybe not. Knowing how to run a technology company is a valuable skill, but it's not the same as running an IT department and dealing head-on with disaster plans, security audits, technical debt, ERP conversions, and the myriad hands-on lessons that allow CIOs to interpret 'evidence' (for more about these other issues see my recent post Boards Should Ask IT About Overlooked Risks).
Boards are about 'noses in, fingers out.' A Board with a Digital Director able and willing to stick the right 'nose in' to technology matters will help drive a culture of awareness and accountability through an organization from the top down, where culture shifts should start.
This is well-said, Wayne. I continue to like how you think and frame things. Do you have a post you can share (by you or someone you like) discussing the QTE "Qualified Technology Expert" concept in more depth? Every time you mention it, I find myself intrigued and wanting to learn more!
CEO | Founder | +10 years in AI
8 年We are defiantly making decisions on this at board level - I guess it depends on the exposure / willingness of the directors to take this issue seriously. AICD is also raising awareness in this area.
Strong Customer Service and SaaS pro seeking new role
8 年I like your statement " 'organizations get the IT they settle for.'" The suggestion that a Digital Director be part of every board is a great one!
Senior Attorney at Maguire Schneckenburger Legal Group
8 年I agree. Especially with the concept that adoption of the NIST framework will somehow improve literacy. That just isn't true. If anything, adopting a "framework" will make executives feel like the box is checked and may even have the effect of widening the attention gap. As an attorney, I think the solution is more about education. General counsel should be all over this issue and recognize it for the threat it is. GC should be finding people who can help educate the board and executives, and provide sound legal opinions regarding information security. But, this is the end result of a culture of compliance. Box checking does not breed competence. It breeds "adequate" effort to get the job done. Organizations should foster an organizational culture of security - where all execs and employees buy in to the importance of a team focused approach to security. Compliance does not beget security, but security will beget compliance.
The one point I would make on the comments, and not specifically the article is in regards to the difference between Boards opting for a consultant versus a Digital Director coming from either the CIO or CISO seat. I think the difference in potential value (which is different based on a number of factors as to why the below value may or may not be as important) is the statement in the article: "This means a CIO has a good knowledge of just about every business process without having a special allegiance to any one organizational silo: that adds value as a Director over and above technical expertise." I would hope the above statement would ring true for any CISO also, otherwise what threats is the CISO missing (this does not have to be a purely technical vector (e.g. malware), but one that utilizes technology (e.g. business logic flaw in an application))