January 22, 2024 By Jonathan Reed 3 min read

Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?

A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close to cyber, it will reach them anyway — at least according to a potential new SEC rule. What should security leaders do?

Cyber knowledge gap

A recent CyberEdBoard report said, “Board members are just not equipped to understand technology. The other side of the problem is that CISOs tend to talk in technical terms and it goes right over the board’s head. We have to figure out ways for CISOs to communicate effectively to the board.”

That might be a generalization as tech savviness increasingly makes its way into the upper ranks of business. However, when only a fraction of CISOs report to CEOs, it raises questions about how companies prioritize security issues.

Meanwhile, the federal government is increasingly concerned about the impact of cyberattacks, for example, on critical infrastructure and government agencies. And the feds are taking action to enforce compliance.

SEC enforcement moves forward

In 2022, the SEC nearly doubled the size of the Enforcement Division’s Cyber and Crypto Assets Unit. Since then, the unit has initiated enforcement proceedings against SEC-regulated entities due to insufficient cybersecurity controls and inadequate disclosure concerning cyber risks and incidents.

Over the past two years, SEC enforcement has resulted in charges, fines and settlements. Some of the biggest financial entities in the world have had to pay penalties ranging from $425,000 up to $35 million.

Are public company regulations next?

Now, the SEC’s proposed Rule 10 would specifically require all public companies to report material cybersecurity incidents on Form 8-K. Rule 10 would also mandate periodic disclosures regarding a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures — and the board of directors’ cybersecurity expertise, if any.

The board should get on board with cyber

Although some board members might still be reluctant to address security issues head-on, education is the key. Some easy-to-grasp parameters should be presented, like the global average cost of a data breach reaching $4.45 million. Or tell them about the $35 million SEC fines.

Security leaders should also compile data about the real-world risk — and damage — that cyber presents to their company. How many attacks did you detect last year? How many breaches? What were the estimated costs? What measures are needed to minimize further incidents and what would be the investment needed?

These are simple concepts that any business-minded person can get their head around. Armed with this type of information, board members could converse intelligently with any regulatory agency.

It would be unreasonable to ask board members to become cyber experts, but they can be guided to understand the associated business risks and benefits. Additionally, cyber executives should have a seat in the C-suite — or at least direct access to the CEO.

Give the board terms they understand

As per Marco Túlio Moraes, CISO and expert board advisor at CyberEdBoard, security officers need to learn to speak in financial terms.

For example, can you explain the total loss exposure for your cyber risk portfolio in quantitative financial terms? This can help everyone grasp the size of the issue to drive the strategy. Healthcare, for instance, has a risk portfolio with an average loss exposure of $5.5 million, given a probable annual likelihood of 9% and an average loss of $40 million. Is this something your board can accept?

Once these numbers are clearly outlined, risk appetite and tolerance can be defined given constraints such as budget, staff, time and other resource limitations. From there, an informed discussion about strategic cybersecurity can happen, including investments, responsibilities and expected results.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today