No use in telling you that cyber risk has quickly sneaked its way into the boardrooms even as the pandemic has triggered more tech proliferation. There have been several high-profile cyber attacks on enterprise boards in recent years. The famous one was on the board of Sony Pictures by North Koreans after it made a movie on assassination of its dictator. Yahoo, Target, Equifax and many others globally had suffered such attacks.
The size of the cyber security market catering to enterprise boards is expected to be significant and is projected to continue to grow in the coming years. The global cyber security market is expected to grow from $152 billion in 2018 to $250 billion by this year-end.
Vulnerabilities, protection and technology are now an inevitable part of board discussion. Worldwide, cyber oversight has moved beyond being just a good policy to become legally enforced governance duty. This leads all boards to a good news/bad news update on board cyber oversight. First, how are companies preparing to prove that their digital defences are in good order, and how do their boards play their fiduciary role in assuring them?
The first step is to get the board members who are knowledgeable and current on cyber security to enlighten the rest of the board. But this is easier said than done. Of course there are various routes to boosting board cyber security knowledge. Data from the Rotman Business School in Canada show that in 2021, 55 per cent of public company directors in the US had “technology” expertise (this was at 40 per cent in Canada), but this is widely defined.
The ideal would seem to be naming an experienced chief information security officer (CISO) to the board. The new breed of CISO is not just deep on technical knowledge and challenges, but also knows about risk and financial exposures.
Second, a broader approach to cyber skill may be more effective, given the way technology today is touching every element of board oversight. Adding an independent director who knows cyber risk and ISAC (Information Sharing and Analysis Centre) helps. Strategy officers, chiefs of compliance, or chief legal officers are some suggestions from experts in the cyber security and data privacy industry. The board talent wish lists need to move beyond overall technology to target AI and deep learning skills. AI is about to become critical for every company and will soon be a must-have boardroom insight.
Third is about board structure to increase (and demonstrate) tech skill and commitment. Adding a dedicated board technology committee sounds good, but is likely still an overreach for most boards, especially in smaller companies and mid-caps. A better idea is to schedule a yearly strategic dive into the charters of all your board committees, and explore how tech/cyber/risk oversight matters can be woven into the specific duties of each.
Fourth, a strong relation between the board and company info tech/security staff is a must. Make sure that CISO reporting is on the agenda, and that they interact on a regular basis. We find that today’s CISOs are moving beyond mind-numbing tech reports to learn the language and skills needed to communicate with board members. Still, CISOs have every reason to paint a pretty picture in reporting to the board. Experts advise that the burden is on your board to assure the CISO to be comfortable in bringing bad news.
Muneer is co-founder of the non-profit Medici Institute, and Ralph is global board advisor, coach and publisher