What does the Boardroom need to know about Cybersecurity?
Tom Kaczmarek
Former Director Graduate Studies and DIrector of Center for Cyber Security Awareness and Cyber Defense at Marquette University
Ever since the "Year of the Breach" there has been a flood of interest in the question about boardroom knowledge of cybersecurity and the posture of the enterprise with respect to it. The CISO of Target resigned as a result of a breach, but responsibility lies higher in the organization. The buck no longer stops with the technical leadership.
More than five years ago, the New York Stock Exchange Governance Services commissioned a survey of directors of public companies. Two-thirds of the directors lacked confidence in the enterprises ability to properly secure itself. This was despite the fact that nearly one-half of board meetings were addressing cyber security issues. The directors had clearly shifted the responsibility on the CEO of the organization. Years later, major risk insurance providers have placed cybersecurity issues in the list of top concerns for their clients. As recently as last summer, Forbes presented an article about, "Compliance Is Not Security: Why You Need Cybersecurity Chops In The Boardroom."
In forming a center on the Marquette University campus to deal with academic and community needs for knowledge and skills in cybersecurity, we chose the name, the Center for Cyber Security Awareness and Cyber Defense. The intent was to emphasize the need for all to be aware and the need for all to prepare defenses. Our cyber security awareness event two years ago emphasized that cybersecurity was everybody's job. Last year we emphasized educating all in the knowledge and skills that are required.
The world is full of companies marketing technical solutions and their consultancy, but the Directors on the board are lead by the Chief Executive Officer who is to be ultimately responsible for making managerial decisions. Where are the CEOs who are exerting leadership? I see that there are three kinds of postures for CEO's who have taken meaningful action:
- Those who "got it" and led the discussion inside their enterprise and the Boardroom
- Those who after observing the risk to the enterprise and themselves "did it"
- Those who were breached or had a near-miss, but experienced the threat inside their organization and "recovered."
Do you have a story to tell about an enlightened CEO who got it, or one who just did it, or who recovered?
Not every CEO has yet responded to the threats. The community needs to compile the stories and share them so that we can collectively reduce the risk.
Comprehensive IT/ICS/OT Cybersecurity Evangelist
5 年Incidents and breaches shall continue indefinitely unless & until our paradigm shifts.
Advising organizations on managing risk, effectively
5 年Cybersecurity representation at the Board is still inadequate.? At Digital Assurance Advisors we have focused our practice to provide Cyber Advisory to the Board to address this need as threat actors will not wait one or two election cycles until the Board ramps up.? H.R. 1731?https://www.govtrack.us/congress/bills/116/hr1731/text stresses the importance to align with a qualified entity at the highest level to secure your organization.? Rick Howard? Christopher Kolenda, Ph.D.? Greg Duckert?
We manage your IT. You focus on the business.
5 年With the cost of attacks/downtime easily extending into the millions for many organizations, C-Suite executives must take heed.? You can take a look at an article I wrote regarding the top threats businesses will face in 2020 here: https://www.dhirubhai.net/pulse/organization-under-siege-how-managed-service-provider-steb-scheele/?trackingId=HTZSXegWQAGnyOkZUxWUbw%3D%3D