January 22, 2024 By Jonathan Reed 3 min read

Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?

A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close to cyber, it will reach them anyway — at least according to a potential new SEC rule. What should security leaders do?

Cyber knowledge gap

A recent CyberEdBoard report said, “Board members are just not equipped to understand technology. The other side of the problem is that CISOs tend to talk in technical terms and it goes right over the board’s head. We have to figure out ways for CISOs to communicate effectively to the board.”

That might be a generalization as tech savviness increasingly makes its way into the upper ranks of business. However, when only a fraction of CISOs report to CEOs, it raises questions about how companies prioritize security issues.

Meanwhile, the federal government is increasingly concerned about the impact of cyberattacks, for example, on critical infrastructure and government agencies. And the feds are taking action to enforce compliance.

SEC enforcement moves forward

In 2022, the SEC nearly doubled the size of the Enforcement Division’s Cyber and Crypto Assets Unit. Since then, the unit has initiated enforcement proceedings against SEC-regulated entities due to insufficient cybersecurity controls and inadequate disclosure concerning cyber risks and incidents.

Over the past two years, SEC enforcement has resulted in charges, fines and settlements. Some of the biggest financial entities in the world have had to pay penalties ranging from $425,000 up to $35 million.

Are public company regulations next?

Now, the SEC’s proposed Rule 10 would specifically require all public companies to report material cybersecurity incidents on Form 8-K. Rule 10 would also mandate periodic disclosures regarding a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures — and the board of directors’ cybersecurity expertise, if any.

The board should get on board with cyber

Although some board members might still be reluctant to address security issues head-on, education is the key. Some easy-to-grasp parameters should be presented, like the global average cost of a data breach reaching $4.45 million. Or tell them about the $35 million SEC fines.

Security leaders should also compile data about the real-world risk — and damage — that cyber presents to their company. How many attacks did you detect last year? How many breaches? What were the estimated costs? What measures are needed to minimize further incidents and what would be the investment needed?

These are simple concepts that any business-minded person can get their head around. Armed with this type of information, board members could converse intelligently with any regulatory agency.

It would be unreasonable to ask board members to become cyber experts, but they can be guided to understand the associated business risks and benefits. Additionally, cyber executives should have a seat in the C-suite — or at least direct access to the CEO.

Give the board terms they understand

As per Marco Túlio Moraes, CISO and expert board advisor at CyberEdBoard, security officers need to learn to speak in financial terms.

For example, can you explain the total loss exposure for your cyber risk portfolio in quantitative financial terms? This can help everyone grasp the size of the issue to drive the strategy. Healthcare, for instance, has a risk portfolio with an average loss exposure of $5.5 million, given a probable annual likelihood of 9% and an average loss of $40 million. Is this something your board can accept?

Once these numbers are clearly outlined, risk appetite and tolerance can be defined given constraints such as budget, staff, time and other resource limitations. From there, an informed discussion about strategic cybersecurity can happen, including investments, responsibilities and expected results.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Cybersecurity trends: IBM’s predictions for 2024

6 min read - From world events to the economy, 2023 was an unpredictable year. Cybersecurity didn’t stray far from this theme, delivering some unexpected twists. As organizations begin planning their security strategies for 2024, now is the time to look back on the year before and extrapolate what the future may hold.The year kicked off with Generative Artificial Intelligence (GenAI) hitting the headlines and dominating the conversation unexpectedly. The impact of the many new uses for GenAI rippled the cybersecurity world and was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today