Richard Marshall, as the chairman of Cinturion Group, is deeply involved in overseeing the security of the vast Trans Europe Asia System (TEAS) fiber optic network being constructed from India to Europe, passing through the Middle East. The complexity of this project is compounded by the fact that the cable will traverse through countries with strained relationships, posing potential cybersecurity challenges.
Reflecting on his 16-year tenure as a board member, Marshall acknowledges that in the past, responsibility for securing such critical infrastructure would have been delegated to IT security experts known as “propeller-heads.” However, with the rise of costly ransomware attacks and their detrimental impact on businesses, board members and audit committees have now become more aware of the need to be directly involved in cybersecurity matters. According to Gartner, a whopping 88% of board members now consider cybersecurity as a business risk rather than just a technology issue.
Marshall, who also chairs two other boards and serves as a cybersecurity consultant, emphasizes the evolving sophistication of boards in addressing cybersecurity risks. The younger composition of boards contributes to their heightened technical awareness and recognition of the necessity to mitigate risks proactively.
Furthermore, the looming prospect of increased government regulatory pressure, such as the SEC’s proposal to mandate publicly traded companies to disclose their cybersecurity governance practices, has stirred considerable debate within the corporate realm. While organizations are not obligated to appoint board members with technology or cybersecurity expertise, the proposed SEC rules would require them to disclose whether such members have been appointed.
The shortage of competent Chief Information Security Officers (CISOs) has been identified as a growing concern by the SEC, which highlights the significance of cybersecurity governance in the contemporary business landscape. The commission stresses the pivotal role of cybersecurity incidents in posing threats to companies, underscoring the importance of disclosing board members’ cybersecurity expertise to investors.
To equip technology-challenged board members with a better understanding of cybersecurity, experts advocate for several measures that would help in complying with impending regulations and enhancing oversight. These include appointing cybersecurity experts to the board, making cybersecurity governance a recurrent agenda item, prioritizing resiliency alongside risk management, acquiring cyber skills training, and strengthening collaboration between board members and CISOs.
Dr. Keri Pearlson, an executive director at Cybersecurity at MIT Sloan, emphasizes the critical role of cybersecurity in managing business risks, affirming that cybersecurity expertise on boards is imperative. She asserts that companies with cybersecurity-focused directors and dedicated cybersecurity committees are better equipped to navigate cybersecurity challenges effectively.
In essence, the evolving landscape of cybersecurity demands a proactive and integrated approach from board members and organizations. By fostering a culture of cybersecurity awareness and resilience, businesses can strengthen their defenses against cyber threats and ensure the continuity of critical operations in the face of potential cyber incidents.