Cyber Matters: Filling Board-Level Security Shortages

Startup Stock Photos

By Rob Sloan, cybersecurity research director, WSJ Pro

As the private sector continues to seek ways to mitigate their cyberrisk, organizations are beginning to look to do more than ensure their information technology teams have security expertise. Increasingly, large companies are hiring cybersecurity experts to advise their boards on the best ways to stop data breaches before they occur.

Top financial service institutions and other Fortune 500 players are bringing in security pros to advise their boards. Now, as regulations look increasingly likely, many more small- and medium-sized businesses could follow suit.

In March, a bipartisan group of U.S. Senators proposed the Cybersecurity Disclosure Act, which would require public companies to share details of governing body cybersecurity expertise as part of their Securities and Exchange Commission filings. If the bill progresses into law, it would promote cybersecurity risk management priorities in the same way the 2002 Sarbanes-Oxley law encouraged board-level finance expertise.

But the bill’s implication is already clear: a lack of cybersecurity expertise could decrease investor confidence in an organization’s cyberrisk management abilities, and affect an organization’s ability to recover from the inevitable data breach.

At the heart of the issue is communication disconnect between security executives and the board. In too many companies, cybersecurity risk has not been adequately translated into terms a board can understand.

That language barrier has contributed to a lack of security awareness, even as breaches continue to plague international companies. A dearth of talent able to operate and communicate effectively at board-level has also created delays for many companies seeking to improve their own situation.

“Too many companies view cybersecurity as a technology problem. They lose sight of the broader issue of enterprise risk,” said Gregory Touhill, the first federal chief information security officer and author of the book “Cybersecurity for Executives, A Practical Guide.”

Organizations oftentimes utilize their CISO as a board advisor. This can be an unsatisfactory experience, though, when the CISO is also expected to report to the board on cyberrisk issues.

“I think there is value for larger companies, particularly those engaged in critical infrastructure activities, but that may not be a good fit for small and medium sized businesses,” said Mr. Touhill, who now works as president of Cyxtera Technologies, a secure infrastructure company and soon-to-be board member of cyber analytics company, Bay Dynamics Inc.

Meeting the demand for expertise, and ensuring those experts really are capable, will be a challenge, according to Mr. Touhill. He pointed to professional training and certification as a significant part of the answer for small- and medium-sized businesses.

“Not having that access could sink a company,” he said.

Board Education Opportunities

Both the National Association of Corporate Directors and Carnegie Mellon University now offer cybersecurity oversight programs aimed at boosting the skill level of directors and arming the next generation of board advisors with skills to articulate, measure and manage enterprise cyberrisk.

“Board members today are actively engaged in re-architecting their business strategy to incorporate a cybersecurity vision that breaks down siloes, protects endpoints seamlessly, and ultimately stops the mega breach,” said George Kurtz, chief executive of the cybersecurity vendor Crowdstrike Holdings Inc. and a strategic advisor to Banco Santander S.A.

“Information security needs to be translated from bits and bytes to conversations about risk management, brand protection, defense of business intelligence, and customer retention.”

(Rob Sloan is cybersecurity research director at WSJ Pro. Previously, Rob has worked as response director for a specialist IT security consultancy in London and built a team focused on detecting, investigating and protecting against cyber intrusions and responding to incidents, especially state-sponsored attacks. Rob started his career working for the U.K. government, looking at some of the earliest cyberattacks against the critical national infrastructure. Rob’s main interest is the requirements, motivations and technical capabilities of threat actors. More information on WSJ Pro Cybersecurity at