Modern CISO Network: Board Book

Today’s generation of adults has witnessed the nearly miraculous transformation that technology has delivered to society, changing our lives in ways that were once unimaginable even to writers of science fiction. We think nothing of it when we engage in activities our childhood selves would have considered magical, such as making video calls with people from around the world or receiving packages delivered by autonomous aircraft.

Of course, amazing technological advances often come with risks; in our case, our constantly increasing reliance on information systems exposes us to an ever-growing danger that wrongdoers will exploit cyber vulnerabilities to inflict real-world harm. As we now know, hackers can destroy businesses, undermine liberties, and even endanger lives.

As cyber risks expand, the discussion about how to manage those risks continues to “move up the chain of command.” In the early days of the internet, not only did engineers and first-level managers often establish cybersecurity policies without involving senior corporate management, but CEOs and boards may not have even understood what it meant to connect their businesses to the internet.

Today, we live in a different world — corporate boards are increasingly bearing ultimate responsibility when it comes to cybersecurity. Cybersecurity is no longer a technical topic discussed primarily in data centers, it is a critical component of organizational success. CEOs are responsible for managing cybersecurity risk, while directors are responsible for overseeing it, just as they are both accountable for ensuring that the business addresses risks such as accounting or compliance.

Despite a nearly two-decade barrage of news reports of data breaches and other cyber attacks, corporate boards are failing to oversee cyber risk mitigation. This is likely because cybersecurity is a relatively new and rapidly changing risk for businesses, and time-tested best practices have not yet been established. Even more fundamentally, it is against human nature to mitigate cyber risks. Over thousands of years, our survival instincts have evolved to protect us from visible threats like fires and dangerous predators, and now, our bodies and minds are not naturally optimized to “feel” the threat of hackers sitting 8,000 miles away. As I have said many times over the past 20 years: Humans are the Achilles heel of cybersecurity — never underestimate the impact of human biology on cybersecurity.

Of course, I’m not saying that boards ignore cybersecurity. Today, most directors are aware of the importance of cybersecurity and committed to ensuring that their management teams properly mitigate cyber risk. Boards regularly encourage senior management to allocate steadily increasing budgets for cyber defense; however, despite such commitment, many boards still lack the knowledge and experience to meaningfully oversee cybersecurity. Boards want to do what is right; they just don’t know how to.

The deficiency is not always obvious; but, unfortunately, it only becomes evident after a cybersecurity incident occurs. Companies with boards that lack members with sufficient strategic-level cybersecurity experience often end up investing their cybersecurity budgets in suboptimal ways that ultimately yield unacceptable results. Because institutional investors often deem risk management oversight as the board’s most important responsibility, they often demand transparency in that area. When boards fail to adequately oversee a growing risk with potentially catastrophic consequences, it’s a serious issue.

Yet, the problem remains — and often goes undetected.

Cybersecurity-related discussions in boardrooms sometimes seem to offer great promise; but in reality, they are unproductive sessions that lead to unfulfilled hopes. On the flip side, sometimes important issues are raised and directors do not sufficiently comprehend the matter under discussion. When board members do have technical knowledge, but are unfamiliar with both cybersecurity at the strategic level and the process of security oversight, boards seem to make other time-sucking errors that can create dangerous failures of oversight.

While the primary cybersecurity task of a board is to ensure that the company properly manages cyber risk, board members often go overboard (I had to get at least one pun into this piece) and mistakenly avoid important conversations by dismissing them as too technical or detailed. Ironically, sometimes directors do the opposite and draw their colleagues into tactical discussions about how to “strategically” implement the latest fleeting technology buzzword or make unnecessary investments that address immaterial risks and therefore do not yield meaningful business results.

As fiduciaries, boards must ensure that their management teams implement proper plans to ensure that their respective businesses are adequately resilient to cyberattacks (which are inevitable), and that any remaining exposures are limited to known, acceptable, and manageable risk levels. As a result, cybersecurity risk is becoming a staple of internal audit functions.

Because cybersecurity is a relatively new discipline, many organizations plan and measure cybersecurity matters using key performance indicators that may sound like effective criteria for measuring success, but they are actually improperly chosen and severely flawed. Board members often hear and accept at face value reports of cybersecurity success based on criteria that are not meaningful and often misleading. I’ve lost count of how many times I’ve seen organizations measure the number of breaches per quarter, without investigating how many attacks were launched to begin with, without understanding the relative potential damage, and ignoring the fact that the most harmful breaches are the ones that have not yet been reported or detected.

While regulators have been relatively slow to act on the cybersecurity role of boards of directors, they are emerging from their slumber. Since 2011, the U.S. Securities and Exchange Commission (SEC) has advised public companies in the U.S. to disclose major cybersecurity risks and incidents that could significantly increase investment risk. In 2018, the SEC expanded upon that guidance by recommending boards of directors to publicly disclose how the board is overseeing cyber risk mitigation. And, earlier in 2023, the SEC proposed new regulations that would require public companies to disclose even more information about their cybersecurity postures.

Newer state and federal regulations further require directors to understand their organizations’ security stance. New York State, which hosts the tenth largest economy in the world, now requires entities regulated under its banking authority to establish and adhere to strict minimum cybersecurity standards and their boards must approve formal cybersecurity programs that deliver on those requirements. Major policy shifts are also beginning to transfer liability for some cybersecurity issues away from individual users and small entities onto technology firms. The 2023 U.S. National Cybersecurity Strategy shows us that directors of technology vendors have plenty of incoming risks that their respective firms must be prepared to mitigate.

The winds of change are not solely blowing in the United States. The Australian government is reforming its own cybersecurity policies and regulations in ways that will likely place far more responsibility on boards, and the European Union’s (EU) new Network and Information Security (NIS 2) Directive broadens various responsibilities, including incident reporting. The General Data Protection Regulation (GDPR) went into effect five years ago and affects not only businesses in Europe, but also companies in the U.S. that do business in Europe. The GDPR established significant data security and privacy rules, with penalties for violations so potentially huge (4% of worldwide revenue) that just a single fine could transform many of today’s profitable companies into firms operating at a loss.

The message could not be clearer: Cybersecurity risks can inflict terrible harm — including, at times, existential danger — to the viability of corporations, and, as such, cybersecurity will receive the same high-level oversight as other, longer-known types of risks. Just as regulators have historically characterized compliance breakdowns as failures of governance and board oversight, they are almost guaranteed to eventually do the same after cyber breaches with adverse consequences that significantly exceed board-designated levels of acceptability.

Unfortunately, bringing cybersecurity expertise into the boardroom is not as simple as hiring a brilliant CISO and inviting them to attend board meetings. Often, the only way to achieve adequate board-level oversight requires changing board composition to add individuals with sufficient cybersecurity knowledge and skills. Companies need security experts with a deep understanding of the business who can fully understand how it could be affected by security risks. They need individuals who can facilitate and lead appropriate, impactful, and relevant cybersecurity discussions at every board meeting.

Just as boards must have the relevant expertise among their members to ensure that senior management is properly managing operational, compliance, and financial risks, boards must also include directors with cybersecurity backgrounds who are well versed in managing cyber risks.

While businesses need expert guidance and oversight from professionals with cybersecurity management expertise, up to 90% of Russell 3000 companies do not have even a single director with such expertise.

According to the IANS Research report, CISOs as Board Directors, successful board placements of cybersecurity professionals involve recruiting people with five key traits: tenure in cybersecurity, broad experience, scale, advanced education, and diversity. Deep infosec tenure includes having several years of experience as a CISO (or the equivalent) and more than 10 years working in cybersecurity. Broad, cross-functional experience gives them a comprehensive understanding of how the business works. Global perspectives help address organizational complexity and diverse perspectives help boards identify blind spots. Advanced degrees, certifications, and publications can boost the credibility of the board.

Finding board members who can successfully blend cybersecurity know-how with business acumen is not an easy task. According to the IANS Research report, just 14% of Russell 3000 CISOs have at least four out of the five ideal board candidate traits.

It is this challenge that this publication seeks to reconcile.

As the first part of a larger initiative to help facilitate understanding, conversation, and decision-making about cybersecurity at the board level, The Modern CISO Network: Board Book offers boards a directory of experienced experts ready to advise and guide businesses as they navigate the complex world of cybersecurity. By arming companies with a diverse directory of CISOs and other cybersecurity leaders with relevant expertise both in terms of cybersecurity and business acumen, the board book will hopefully make it easier for companies to improve their resilience against modern-day threats.

As such, I am thankful to have been asked to write this forward, and I am excited to introduce you to these security experts as part of the inaugural edition of The Modern CISO Network: Board Book.

About the author:

Joseph Steinberg serves as a cybersecurity-focused expert witness, board member, and advisor to businesses and governments around the world. He has led organizations within the cybersecurity industry for over 25 years, and has written books ranging from the best-selling Cybersecurity for Dummies to the official study guide from which many CISOs study for certification exams in advanced information-security management.

Known for offering keen insights and unique perspectives on cybersecurity, Artificial Intelligence (AI), and the potential impacts of technological developments on human society, Steinberg amassed millions of readers as a regular columnist for Forbes and Inc. magazines. Today, his independent column – appropriately titled Joseph Steinberg: Totally Candid – receives millions of monthly views, making it one of the most read columns focusing on cybersecurity and related matters. Analysts have calculated that he is among the top three 3 cybersecurity influencers worldwide.

Steinberg has helped many organizations improve their management of cyber-risk, and has assisted attorneys achieve just compensation for parties wrongly harmed via cyberattacks. His opinions are frequently cited in books, law journals, security publications, and general interest periodicals; his cybersecurity-related inventions appear in over 500 US patent filings. He remains one of only a few dozen people worldwide to hold the suite of advanced information security certifications, CISSP, ISSAP, ISSMP, and CSSLP – indicative of the both deep and broad nature of his cybersecurity expertise and experience.

In addition to his primary work, Steinberg serves as a Senior Policy Analyst at the Global Foundation for Cyber Studies and Research think tank, a member of Newsweek’s Expert Forum, a member of the Cybersecurity Council at CompTIA (the world’s largest technology trade association and its second-largest related certifying body), and a board member at several non-profit organizations. He also served on, and was unanimously elected chairman of, a governmental Financial Advisory Board.

Steinberg co-founded and served in multiple capacities (including tenures as CISO, CEO, and Chairman of the Board) at the cybersecurity firms, Green Armor Solutions and SecureMySocial. Earlier, he served in several senior capacities (including functioning as the CIO and CISO for US operations) of Whale Communications, later acquired by Microsoft.