One CISO Can’t Fill Your Board’s Cybersecurity Gaps

The chairman of a large European enterprise approached me over drinks at an event for board members and CEOs on how to build enterprise security resilience. We started talking about cybersecurity risk — a grave concern for many boards. “I sit on seven boards, and we’re all expected to govern cyber risk, but none of us has an intuition about it,” he said. “What should we do?” He was worried about his ability to gut-check security-related information.

Today’s boards face an ever-evolving threat landscape and rising cybersecurity governance expectations. In July 2023, the U.S. Securities and Exchange Commission adopted new rules that require U.S.-listed companies to describe the board’s oversight of risks from cybersecurity threats and outline the processes by which the board or a relevant subcommittee gets informed about such risks. Similar regulatory initiatives are underway in Europe and the Asia-Pacific region.

But many board members find meeting those expectations and regulatory demands very challenging. According to research from The Wall Street Journal, 98% of company directors do not have cybersecurity expertise — just like the chairman I introduced above. That’s striking, given that board members are charged with using their own experience to look behind the veil of good news and probe for the true state of company affairs. Without security expertise, they have a hard time seeing through instances of window dressing in the carefully curated material that makes it to the board.

The intuitive (and quickest) solution to this problem is to recruit a current or former chief information security officer (CISO) to the board of directors. Accordingly, the share of CISOs who sit on corporate boards more than doubled in just one year, from 14% in 2022 to 30% in 2023, a Heidrick & Struggles survey found.

On its face, this seems to be a win-win: Boards increase their skills in a vital area, and many CISOs see joining corporate boards as a logical, fruitful career step. A CISO on the board can better integrate cybersecurity into business discussions at the highest level. More CISOs having board seats is good news, right?

CISOs on Boards: Two Issues to Consider

Recruiting CISOs to the board of directors just for their cybersecurity expertise is misguided for two main reasons. First, boards are supposed to act as a collective. Unlike management teams, which rely on individual accountability, boards ideally act as a single unit to achieve consensus on issues like strategy, risk, and governance.

Boards make decisions collectively, and each member shares collective accountability. No individual board member should act independently, and each member should have the skills to contribute more broadly to the work of the board. Hiring a CISO just to have an expert on cybersecurity to whom everyone else can turn when cybersecurity risk appears on the agenda goes against the fundamental idea of the board functioning as a collective.

Second, consider a CISO’s core area of expertise, which is often technology or security. To contribute to the board meaningfully, directors should be literate in a whole range of areas, such as strategic planning, financial expertise, geopolitical factors, environmental issues, and fiduciary duties. Cybersecurity risk might appear on the agenda for only a few minutes during board meetings that can last multiple days. CISOs also need to possess literacy in all of the other areas that make board members successful.

Four Ways to Increase Board Cybersecurity Expertise

Instead of just delegating understanding cybersecurity risks to one board member by recruiting a CISO, boards should elevate their own collective knowledge and expertise. This does not mean that each board member must increase their knowledge all at once. Some individual board members might be more inclined to engage with cybersecurity, and they can help lead the way and channel conversations. However, it’s important that they don’t become the go-to experts that everyone else delegates understanding and decision-making to when cybersecurity appears on the board’s agenda.

Many boards have started to do something about cybersecurity risk — but very few take a comprehensive approach to elevating the entire board’s expertise with training. Here are four strategies I have incorporated into my work with boards to elevate their cybersecurity capabilities.

1. Quality time. Individual board directors can use internal resources to improve their literacy in cybersecurity. Chairpersons and board members can ask for one-on-one time with the organization’s CISO, without anyone else present.

The chair then can ask questions; for example:

• Which items of the latest budget request didn’t get approved?
• What are the biggest cybersecurity problems from a business perspective?
• When did we last test our plans to respond to a serious cyberattack?
• What can the board do to boost our company’s cyber resilience?

The purpose of this meeting is to try to discover what information doesn’t make it to the board. In addition, members can request more details on cybersecurity risk to supplement the short, high-level summary slides that usually get presented at board meetings.

Many board members sit on multiple company boards, but no two organizations are exactly alike. By looking within one company at a time, board members can become more familiar with the state of play: the company’s most serious cybersecurity threats, risks and their potential impacts, and the most pressing cybersecurity challenges. Individually spending quality time on cybersecurity equips board members with organization-specific knowledge so that they can contribute to discussions in a more meaningful way.

2. Educational courses. Individual board members can take executive education courses on cybersecurity risk from business schools, such as Oxford’s cybersecurity program for business leaders. These courses cover the foundations of cybersecurity risk, as well as new developments, trends, and risks in the regulatory and technology worlds, in areas like AI and quantum computing. Such courses also expose board members to case studies and best practices from other companies and industries on managing and governing cybersecurity risk. Many programs take place online and are based on asynchronous learning, which gives participants more flexibility to work through material.

I have seen boards offer online programs in areas such as sustainability, and some have even made attendance mandatory. Companies should similarly prioritize cybersecurity, given its strategic nature.

3. Cyber learning forums. To elevate the collective expertise of all board directors (and their management teams), some companies have set up recurring cyber learning forums. In my experience, this is an unusual but valuable tactic.

These quarterly or semiannual forums reside outside of the formal governance processes. The CEO chairs the forum, inviting the full board of directors and the management team, and works closely with the IT and cybersecurity teams on the agenda. The purpose of the forum is not to hold anyone to account but rather to create a safe environment in which to learn from each other and exchange ideas.

The people leading the discussion and sharing information are mostly internal colleagues. Board members aren’t asked to look at other companies’ choices but to look inward and improve the collective understanding of common challenges and solutions.

Learning forums offer another opportunity for board members to look beyond the information that gets presented during formal board meetings and understand the real levels of organizational resilience — in a nonconfrontational environment — without the common stand-off between management and the board.

4. Bespoke board sessions. Governing cybersecurity risk is often delegated to a subcommittee, such as audit, risk, or technology. This is where most of the governance work takes place. But it’s also important for the full board to dedicate substantial amounts of time to cybersecurity risk as a collective.

A bespoke board session held on the back of a quarterly board meeting is one of the most effective things a board can do to elevate its cybersecurity knowledge.

I have even come across boards that have set up an extraordinary board meeting just to focus on cybersecurity risk once a year. Some boards choose to work with an external adviser in setting up and running the session. This provides an opportunity to invite experts from their fields to talk about specific aspects of cybersecurity. I always encourage boards to invite other business executives — even from other industries — who have been through an attack to tell their story and share their lessons learned. I also encourage preparatory interviews with each board member in advance, to customize the session to the company and the board’s level of cybersecurity expertise. More organizations need to make this a habit: I see it in my work only with the most mature boards.

Bespoke sessions are a great way to avoid complacency. Board members can learn from the mistakes others have made and discover areas where governance processes may weaken their organization’s resilience to cyberattacks. Each bespoke board session should be followed up to make sure each director has increased their knowledge.

---

By taking a comprehensive approach to elevating board members’ cybersecurity expertise, boards can get ahead of attackers and proactively build cyber resiliency. Incorporating all four elements of this approach can help a board become more comfortable with all discussions on cybersecurity risk.