As cyberthreats continue to grow in both severity and total cost, cybersecurity is increasingly becoming a discussion at the board of directors’ level and part of the overall company compliance and risk strategy. Yet, given the technical and complicated nature of the topic, many are finding that the area requires additional expertise and education to fully understand the implications of this rising risk rea.
NightDragon has been following this trend closely, including recently launching a report in partnership with the Diligent Institute that found a significant gap in expertise and education at the board level. NightDragon and Diligent analyzed the leadership composition of the boards of the S&P 500, finding that despite the rising risk and cost of cyberattacks, 88% of S&P 500 companies do not currently have an executive with specialized cybersecurity experience on their board to guide them on risk mitigation efforts, and 57% lack similar specialized experience in other technology categories.
To build on these findings, NightDragon conducted a survey of our NightDragon Advisor Council, where NightDragon Advisors anonymously shared their experience interacting with the board as it comes to cybersecurity and risk. NightDragon’s Advisor Council includes 80+ renowned industry leaders, including many highly regarded Chief Information Security Officers (CISOs) and other executives from some of the world’s largest and most influential organizations.
Findings from the survey include:
- More than 60% of Advisors said they report to the Board on a quarterly basis. Meanwhile, fewer than 5% said they reported more frequently, either on a monthly or a weekly basis.
- The majority of Advisors (60%) said the board of directors has increased its interest significantly in cybersecurity over the past year. 35% said interest had increased slightly. None said interest had decreased.
- More than 40% of Advisors ranked their Board’s sophistication in understanding cyber risk as “moderately sophisticated.” 35% said the understanding was “average” and 18% said “below average.”
- Nearly all (90%) said they expected board of director interest in cyber risk to increase in the next two years. None said they expected interest to decrease.
- Top areas that interested the board included top risks facing the organization, overview of critical incidents, AI technology adoption, ransomware, IT and OT network security, cyber risk governance, overall program maturity, operational resiliency, and more.
Additionally, we asked some of our Advisors to contribute their thoughts on a few specific questions around board of directors’ interest in cybersecurity and how they are advancing education. Here’s what they had to say:
How are you seeing conversations regarding cybersecurity evolving at the board level?
Fotis Papazafeiropoulos, Group Chief Information Security Officer, Group Cyber Security & Privacy Director, Coca-Cola Hellenic Bottling Company
There is increased interest on cyber, evolution of threat landscape and potential impact to the business. It is evident that cyber is one of the top enterprise risks especially in organizations that have prioritized and accelerated their digital transformation journey. Still there is room for improvement so as Board to reach an adequate level of understanding of cyber risk and how this relates to accomplishment of business objectives.
Nick Shevelyov, vChief Security Officer
Interest is at an all-time high with no sign of peaking. This is an opportunity to leverage increased appetite to spend in this space to add intelligent and continuously improving generative AI systems to address age old legacy friction points in cybersecurity, including but not limited to intelligence gathering, identity access management, and incident response.
Almon Tse, Chief Information Security Officer, Saks Fifth Avenue
At the public board level, for the better part of the last decade, cybersecurity has been a topic usually driven by regulatory requirements through the audit and risk committees. For private boards, you’d be lucky to hear about cybersecurity unless there’s been a business impacting cyber incident. But now we are seeing a shift where the board level cyber conversations are organic rather than being forced. There is no shortage of front-page high publicity ransomware attacks to spark those conversations, which have moved from the water cooler to the board room. Then there are the new SEC Cybersecurity requirements that in many ways have forced board members to learn more about cybersecurity or potentially risk losing a board seat.
Sebastian Goodwin, Chief Trust Officer, Autodesk
Having served on a board and audit committee myself, and as a CISO / Chief Trust Officer reporting to boards, I can tell you that there are some good signs of progress. In some cases, the conversation has evolved from red/yellow/green risk indicators and compliance check boxes to a more meaningful discussion that ties cyber risk to business risk. There are two key catalysts to this evolution of the boardroom conversation on cyber risk: 1) board directors who know the right questions to ask, and 2) cybersecurity executives who can meaningfully articulate cyber risks in terms of risks to the critical activities and objectives of the business.
Do you see increased board education and sophistication when it comes to cybersecurity?
Fotis Papazafeiropoulos, Group Chief Information Security Officer, Group Cyber Security & Privacy Director, Coca-Cola Hellenic Bottling Company
Cyber has developed massively during last years, attacks and threat exposure is becoming more sophisticated than ever before. The pace of board education however is not following the same pace. Trends are positive but more work is needed in that area. Corporate governance and regulatory developments are for sure assisting to achieve this objective.
Almon Tse, Chief Information Security Officer, Saks Fifth Avenue
Even though the requirement for public boards to have a cybersecurity expertise on the board did not materialize in the final version of the SEC Cybersecurity rules, this was a warning shot from the SEC. Boards are increasingly looking for readouts on cybersecurity risks from the CISO in closed door settings, then challenging management on how they are providing the necessary financial and operational support to mitigate those cyber risks.
Gary Hayslip, Global CISO, Softbank Investment Advisors, Vision Fund
I see a greater awareness of the issue, and I see more courses being offered for directors on the topics of cybersecurity and risk. However, for the multiple boards I report to or the ones where I am an active director and sit on the board, it is still on the CISO to speak about cybersecurity.
Awareness at the board level is certainly increasing due to board exposure to mainstream media news on cyber risk, mostly related to impacts of ransomware attacks. As a result, board members are asking more informed and inquisitive questions to today’s cyber leaders than in years past. Examples we’ve seen include: “How resilient is our organization against ransomware attacks?”, “Are we spending the right level of investments to protect our business?”, and “How do we compare to our peers?”
Mark Carney, Chief Operating Officer, Coalfire
CISOs are learning to speak in business terms and to proactively engage with C-Level peers to incorporate cyber into different facets of business strategy. Increased cyber communication is coming by way of establishing cyber risk committees that provide alignment and reporting up to boards. However, with all our industry’s efforts to improve board awareness, the chasm is still wide. The cyber savvy board room is not a common occurrence, so there is much more to do.
What advice do you have for a CISO to better communicate with the board of directors?
- A strong business acumen, storytelling, and leveraging a continuous risk-based program framework will accelerate the success of sharing how cyber threats can impact organizational goals, financial stability, and brand reputation.
- Start with the critical activities and functions that make the business tick in its current state, then move onto the capabilities and conditions required to achieve strategic goals over the next 3-5 years and what might disrupt those efforts
- Put together your message for their consumption, not yours. This means your message should be focused on the business.
- Establish strong relationships and work closer on the agenda and expectations
- Raise awareness and capabilities through regular initiatives (external advisors, trainings, etc.)
- Lead with empathy and acknowledge and appreciate the various backgrounds and experiences your board members have.
- Speak with peers who have reported to your board so you know the audience you will be speaking to and how they process information.
- Use storytelling techniques and real-world examples to help communicate cybersecurity risks to the board.
To learn more about our NightDragon Advisor Council, please visit our Team page.
To learn more about cybersecurity and the Board of Direcors, read our recent joint report with the Diligent Institute.