Should Companies Disclose if they Lack Cybersecurity Board Experience?
A recently introduced bill would require publicly traded companies to disclose to regulators if a cybersecurity experts sit on their board of directors.
The Cybersecurity Disclosure Act of 2017 only requires companies to report if they have cybersecurity expertise on their board and if not, why. It does not require companies to actually have a cybersecurity expert on their boards.
Good write-ups can be found at:
- Bill Would Compel Firms to Say If CyberSec Expert Sits on Board (inforisktoday.com)
- The Cybersecurity Disclosure Act of 2017 (S 536) — What’s New? (linkedin.com)
I like the direction Congress is taking in this situation. This is a step in the right direction as cybersecurity is becoming so critical to businesses, stockholders, and regulators for them to be aware if organization is operating with such expertise at the very top. However, there is one potential issue to call out.
A colleague of mine commented:
“Defining Cybersecurity Expert — this is an important item. And this shouldn’t get defined as the CEO of a tech company or security company who may have the business or technical acumen but doesn’t know what its like to manage or mitigate information risk — because they have never done the CISO/CSO role.”
I think he brings up an important point, as it is a potential loop-hole. A title without definition is worthless. There should be knowledge and practical experience to meet the intent of this bill. The point is to put someone at the board level with accountability who can understand the risks, determine the appropriate level of acceptance, and communicate the guidance for management to execute and report.
How to determine what a sufficient level of experience is another problem entirely. Certifications might work, but book-learning is certainly not sufficient. The categorization of roles based upon NIST’s NICE Cybersecurity Workforce Framework is another resource but not a complete solution to this problem. Although it provides a good reference of different skills and roles it does not quantify the quality of individuals.
I think in the end, we will all accept a system similar to employment resumes, where the expert would detail their experience in a specific format which then be aligned to the unique needs of the board they serve. This however places a lot of weight on a regulator, auditor, or fellow board members to make an assessment if it is sufficient. I believe as flawed and subjective that is, it will likely be the best compromise. The worst outcome is not to encourage cybersecurity expertise on publicly traded company board of directors.