April 10, 2023
As cyber risks become more serious, business boards and chief information security officers (CISOs) are working more closely together to fortify their defenses against prospective legislation that may mandate greater responsibility.
According to Axios’ experts, publicly traded companies have spent the last year preparing for a proposed Securities and Exchange Commission (SEC) regulation that would require private companies to publicly report cyber incidents within four business days and reveal their response policies.
The proposed legislation from last year also requires an annual report on company boards’ cybersecurity competency. The SEC, however, has not stated when the final regulation would be released. Boards have been grappling with an increase in ransomware attacks, data breaches, and other cyber and privacy rules in recent years. These accidents have driven board members to learn more about their firms’ cyber dangers and prompted senior security managers to improve communication with them.
Previously, business boards have struggled to understand the security threat landscape. As a result, they consider security as an expense that can be cut, and security personnel are made scapegoats after a significant occurrence. This perception, however, is changing.
According to a poll done by The Wall Street Journal last month, more than three-quarters of board directors have at least one cyber specialist on their board. Many of the world’s largest publicly listed corporations now include on their boards a former CISO, chief technology officer, or government official to help bridge knowledge gaps.
“Cybersecurity is no longer just a back-office issue that is rarely talked about,” said Friso van der Oord, senior vice president of content at the National Association of Corporate Directors. “It can cause catastrophic damage to many organizations, and we’ve seen the volume of successful cyberattacks rise significantly.”
CISOs have also become better at communicating their teams’ priorities and the threat landscape to boards, according to Bob Maley, chief security officer at Black Kite. “Today, the best CISOs may not be the best hackers or the best technical people, but they’re the best ones that can translate that technical language into the language of the board,” Maley added.
The sources for this piece include an article in Axios.
