With the rise of cybersecurity incidents, companies are starting to consider cyber risks as business-level risks – with some of them seeking cybersecurity experts to join their board for better risk management, Forbes reports.
The National Association of Corporate Directors (NACD) may have something to do with the rise of companies snatching up cybersecurity talents as it called for corporate boards to strengthen their cybersecurity competency and governance capabilities.
In its “Director’s Handbook for Cybersecurity,” the non-profit corporation stated that “all boards should have the ability to understand cyber threats and assess management’s capability of dealing with cyber-related issues.”
According to a Gibson Dunn report, shareholders have also been urging corporate boards to heighten cybersecurity oversight – with 36% of all shareholder proposals during the 2018 proxy season seeking to add social or environmental performance measures, including cybersecurity and privacy, in executive compensation.
US Congress is also working on improving cybersecurity expertise among public boards, starting with the reintroduced “Cybersecurity Disclosure Act of 2019” brought forth by a bipartisan group of five senators. If passed, the bill would require public boards to either acquire cybersecurity expertise or prove to the SEC that having the expertise is unnecessary because of other compensating controls.
Phil Venables, who spent part of his career as the chief operational risk officer at Goldman Sachs prior to joining its board, commented that corporate boards need someone with a cybersecurity background as every company faces a lot of technology risks.
“If you have a solid technology environment with a strong IT leadership, you can implement more robust cyber controls. At the same time, it becomes easier to make the right strategic decisions for cyber,” he told Forbes.
Myrna Soto, a director for multiple public companies, shared the same sentiments. She also pointed out that cybersecurity experts with a broader understanding of technology risks and their business impact are more suited to stepping into a board governance role.
“If you are a technical security professional who does not have the ability to articulate the business outcomes of cybersecurity controls, you can’t engage the board, let alone serve on one,” Soto concluded.