10 Ways Boards Are Setting Their Companies Up For Cybersecurity Failure

The boardroom is a critical control in every company’s system of cybersecurity risk management. An ineffective approach to cybersecurity governance creates an overall system of cybersecurity that is weaker than it needs to be—often much weaker. This weakness is unfortunately pervasive across many boardrooms and it fails investors, management teams, other stakeholders and the promise of the digital future.

As economic growth and output continues to grow its dependence upon digital business systems, corporate boards are putting their companies at risk when they are not a high-performing part of the organization’s system of cybersecurity risk.

Too much is at stake for corporate boards to not be leading on these issues. Here are the ten ways boards are setting their companies up for cybersecurity failure:

Number 10: By not understanding or following the standards that exist in cybersecurity governance.

Digital and cybersecurity risk oversight is a developing part of corporate governance. However it is not without standards as standards bodies, regulators and leading practice boards are defining new processes, policies and procedures to effectively govern cybersecurity risk. Failing to learn from, follow and assess themselves against these standards slows down the development of an optimal approach to cybersecurity governance effectiveness that impairs the entire system.

Number 9: By not viewing themselves as a critical control in the overall system of cybersecurity governance.

A systems view is required for boards to fully understand digital and cybersecurity risk and for them to effectively govern it. This starts with the boards realization that they are a vital part of the system. The saying, digital and cybersecurity success starts in the boardroom reflects the important role of boardroom leadership in contributing to the ultimate effectiveness and performance of the entire system.

Number 8: By having their audit committee govern cybersecurity risk.

Even the SEC has called out the weakness with this approach. It’s a leading bad governance practice and one that MGM, Caesars and Clorox all had in common. The problem with this bad practice is that it misaligns director skills and does not allow enough time and focus to be spent on the complexities of cybersecurity risk given the busy financial reporting mandate of the audit committee. Leading practice boards are implementing digital and cybersecurity committees and getting cyber out from underneath the smothering mandate of the audit committee.

Number 7: By not governing the three different types of digital risk.

Complex digital business systems require boards to govern opportunity risk, cybersecurity risk and systemic risk. While cybersecurity risk is the burning platform that directors are frightfully aware of, digital innovation, or opportunity risk is the platform upon which it burns. And systemic risk, particularly systemic cyber risk is a new dimension of enterprise risk that most boardrooms and many management teams are entirely unfamiliar with. But it’s a symptom of digital innovation and one that the hackers are well aware of, and exploiting to great effect.

Number 6: By viewing risk related to the complex digital business system as a risk similar to legacy enterprise risks.

New innovations can create entirely new risks and different types of risk. Failing to understand the depth and breadth of the risks related to complex digital business systems, handicaps the performance of the entire company. This impairs the digital upside while materially increasing risk to the enterprise. It also prevents directors from understand the magnitude of change that they need to respond to and the actions they could take that would relatively easily strengthen the board’s role in the overall system. The cybersecurity insurance industry has already come to this realization the hard way, boards should follow this recognition and understand that many of these risks are unique to these technologies and require new approaches.

Number 5: By not understanding the business value implications of cybersecurity risk.

Without a quantitative and qualitative understanding of how the complex digital business system contributes to the company’s value proposition, it is impossible to understand cybersecurity risk. Risk exposure to the P&L, balance sheet and market values are a start. But this analysis needs to understand how the digital business systems drives value for customers, suppliers, communities, employees and investors more broadly to truly align value with an effective controls environment to provide an accurate understanding of the entire digital risk profile of the organization.

Number 4: By underestimating U.S. regulators in cybersecurity governance.

Do something bad enough, long enough and even U.S. regulators will get fed up and step in. The SEC has released new cybersecurity disclosure rules in 2023 and they plan to enforce them. The SEC’s 2024 examination priorities highlight information security and operational resilience as a core focus area for their Division of Examinations in 2024.

While the SEC went soft on disclosure by leaving out of the final rules the ridiculously lightweight proposed rule of disclosure of directors with cyber expertise, it would be a mistake to see this as an indication that there is a lack of U.S. regulatory desire and will to strengthen cybersecurity protections for long suffering investors, customers and other stakeholders. The cyber tone at The White House is clear on accountability to those that have created this risk environment—stating that they have a responsibility to tame the monster they created. And while some governance associations continue to set boards up for failure with their lack of understanding or support for common sense cybersecurity governance reforms, hackers, plaintiff’s attorneys and government regulators will continue to extract a heavy toll from failures in cybersecurity governance as they set examples of the failures.

Number 3: By not viewing themselves as a part of the CISO’s team, and vice versa.

CISO’s want and need a high-performing board on cybersecurity risk, they don’t want to go it alone. CIO’s also want a high-performing board on digital opportunity risk. Boards should be meeting with the CISO in executive sessions and there should be a common understanding of digital risk between both sides of the boardroom table. High-performing boards in cybersecurity governance work as advisors to the CISO and CIO on these complex risk issues.

Number 2: By failing to define boardroom responsibilities in digital and cybersecurity risk oversight broadly enough.

Frequently, boards describe their responsibilities for cybersecurity risk oversight in several words, or with a short perfunctory sentence bolted onto an audit committee charter—which is a problem related to audit committee alignment of cybersecurity. High performing boards have a comprehensive statement of activities and responsibilities articulated in their digital and cybersecurity charter that covers data, information architecture, risk communications, emerging technology, third-party risk, IT operations and regulation. Digital success starts with the board holding themselves accountable to their fellow board members, the management team and all other stakeholders with a comprehensive articulation of the breadth of issues they are governing across the complex digital business system.

Number 1: By not having directors with cyber expertise on the board.

Directors cannot govern what they don’t understand. Why this is a debatable issue remains a mystery for those who understand the reality of cybersecurity risk. Especially when adding directors to the board with cybersecurity expertise is a relatively easy thing to do. Negative bias and misinformation about CISOs and the lack of understanding of the breadth of their general business competencies is rampant. Understanding that the job of a CISO requires highly developed general business competencies well beyond technical aptitude will serve investors and all stakeholders well on cybersecurity risk.

The practice of providing directors with questions to ask about cybersecurity is not only laughable as a governance practice, but useless in practicality. Leading boards are continuing to find and add capable directors with deep cybersecurity expertise, because they realize it’s the director’s ability to understand management’s answers to meaningful questions that drives cybersecurity governance effectiveness.

Boardroom leadership matters, especially on issues like digital and cybersecurity value creation and protection. The cybersecurity crisis facing companies around the world is ultimately a crisis of leadership, and the entire cybersecurity system will underperform as long as the boardroom remains the weak link in the cybersecurity chain.