Oversight of the Management of Cybersecurity Risks: The Skill Most Corporate Boards Need, But Don't Have

As evidenced by recent communications from the SEC, corporate boards are increasingly being made to bear ultimate responsibility when it comes to cybersecurity; while the management of cybersecurity risk is the responsibility of CEOs — who normally delegate much of the day-to-day management to a CISO or the like — the oversight of that management is the responsibility of directors.

Yet, despite what seems to be a decades-long barrage of daily news reports of cyberattacks wreaking havoc, when it comes to overseeing the mitigation of cyber risk, corporate boards often fail to perform as needed and intended. It is not hard to understand why such a problem exists; cybersecurity is a relative newcomer to the list of major risks that businesses face, and cyber risks evolve far faster than do other "classic" forms of risk, such as those related to accounting, legal, or physical dangers. The business world has far less relevant collective experience managing cyber risk than it does most other forms of risks — and there is even less wisdom that we can leverage from prior generations when it comes to actually overseeing the management of such risks.

Boards, of course, do not ignore cybersecurity — to the contrary, today's directors are, generally speaking, both well aware of the importance of cybersecurity and highly committed to ensuring that their respective management teams properly mitigate against cyber risk. Boards regularly not only pay homage to cyber risk but back up their lip service by encouraging senior management to allocate steadily increasing budgets for defense against it.

But, as the saying goes, "the road to hell is paved with good intentions"; while boards certainly want to do what they are supposed to in order to oversee the management of cyber risk, the sad reality is that boards of directors often fail to achieve their mission in this regard, primarily because many boards simply do not have members with sufficient enough relevant knowledge, experience, and skills to understand how to meaningfully fulfill the board's role vis-à-vis cybersecurity. Such a phenomenon also creates a danger; in some cases, ill-conceived board actions can even harm organizational cybersecurity rather than help to improve it.

In some cases, boards lacking adequate representation of people with appropriate cybersecurity-related backgrounds can go for long periods of time without appearing to suffer from any problems from the deficiency. In fact, entities with such boards may even boast of having made great investments in information-security programs; eventually, however, after some form of cybersecurity "incident" occurs, the false sense of security quickly erodes, the investments are revealed to have been made in a far from optimal fashion, and the barrier to cyberattacks that many thought was the virtual equivalent of the walls of a fort is discovered to appear to be closer in nature to that of Swiss cheese.

Sometimes, cybersecurity-related discussions in boardrooms seem to offer great promise but are, in reality, unproductive sessions in which directors attempt to perform part of the job of the CISO instead of focusing on their responsibility to oversee the CISO's management of cyber risk. Sometimes, important issues may be raised, but, because directors believe that they understand the matter under discussion better than they actually do, they don't realize that important issues remain unresolved. On other occasions, there isn't enough experience in the room to understand the matter under discussion; I am even aware of a board meeting in which a director joked that he needed a translator in order to understand a presentation by the CISO.

As fiduciaries, boards are tasked with ensuring that their respective management teams have implemented proper plans to ensure that their respective businesses are adequately resilient in the event of cyberattacks (which are, over time, inevitable) and that any remaining exposures are limited to known, acceptable, and manageable risk levels. As a result, cybersecurity risk is becoming a staple of internal audit functions. Yet, because cybersecurity is a relatively new discipline, many organizations plan and measure cybersecurity-related matters using KPIs that may sound to accountants and lawyers as if they were appropriate and effective criteria for measuring success, but which are, in fact, improperly selected and severely flawed.

Board members often hear, and accept at face value, reports of cybersecurity success based on criteria that are not only not meaningful, but often misleading. How many times have I heard of organizations that measured the number of breaches per quarter — without any knowledge of how many attacks were launched to begin with, without understanding the relative potential damage from the various compromises, and ignoring the fact that, by far, the most harmful breaches are likely to be the ones that have not been reported because they have not been detected?

Along that line, it is important to understand that boards are tasked to oversee risk — that is, ensuring that senior management has properly implemented appropriate risk management plans — not to perform actual risk management. Yet, when it comes to cyber risks, it is not uncommon to find directors dedicating considerable amounts of time to discussing cybersecurity matters that should be handled by the CISO and remain outside of their areas of focus, while, simultaneously, failing to discuss key elements of what they actually do need to cover.

I have seen board meetings get sidetracked when directors unnecessarily involved themselves in a detailed discussion about the results of a recent company-wide phishing simulation; instead of focusing their attention on how well the company could withstand a phishing attack — or any form of cyberattack — the folks in charge of overseeing the management of cyber risk expended considerable time and energy on speculating why the employees of particular departments outperformed their counterparts vis-à-vis not falling prey to spoofed emails. The board needs to understand how well the company can withstand the damage of an attack — not whether it is 27% or 28% of employees who need to take a training class.

In short, it is of critical importance for boards to ensure that they have members with cybersecurity experience — but time should be taken to ensure that it is the right type of cybersecurity experience; simply adding someone to a board because they worked in the cybersecurity field can lead to problematic circumstances, and ultimately, nasty surprises.