Why Corporate Boards Should (must!) Engage Third Party Digital Security Advisory Expertise
The bipartisan Cybersecurity Disclosure Act of 2015, introduced in December by Senators Susan Collins (R-ME) and Jack Reed (D-RI), calls for publicly traded companies’ disclosure of cybersecurity expertise (or lack thereof) on their respective Boards. The following discussion is not about the merits of the proposed bill—arguably Boards historically routinely seek and engage outside advice and opinion as a matter of best practice—nor whether the bill will ultimately be written in to law. Rather we will reflect here on the broader subject of Boards’ maintaining and exercising ready direct access to thoughtful and expansive cybersecurity expertise to enable the most dynamically fortified cyber bulwark possible. Perhaps at some point in the future all Board composition will include a cyber expert as Director, but todaywe’re still far from that benchmark . . . As cybersecurity is still relatively nascent, most serving Board Directors of today simply have not professionally grown up in a digital security world, and so the numbers are not yet there.
Corporate Boards, public and private, must engage third party cybersecurity advisory expertise as the priority action step . . . to ensure the company they are stewarding is maximizing bolstering its digital security posture. We, as the broad collective corporate community, have only just entered this ‘new frontier’ that is cyber risk mitigation. We are all learning, growing, strengthening and yesmaking (some) mistakes as we go. Boards must seek outside cyber guidance, not out of a lack of faith nor confidence in their company’s senior security staff’s abilities, but rather in pursuit of their fiduciary responsibility. As we’ve previously discussed, risk mitigation is an essential component to Boards’ fiduciary responsibility; and so it follows that, since the majority of Board members are not digital security experts, Directors naturally must access third party cyber guidance to ascertain an informed perspective. As a matter of regular course, Boards constructively challenge the budget, strategic and leadership succession plans put before them by their respective companies’ CXO teams. This is where their domain expertise lies; and provoking healthy debate makes those plans all the more fundamentally sound. So why shouldn’t Boards do the same with their digital security (e.g. cybersecurity) plan?
Let me to illustrate my point with a quick and (hopefully) readily accessible analogy . . .
Anyone here who has had the misfortune to have an elderly family member require serious/extensive medical intervention, you will know that listening to the attending physician can be unsettling, daunting, disconcerting. . . not to mention leave you feeling vulnerable, exposed, exasperated and sheepish. The doctor, however well-meaning she/he may be and spot on in her/his diagnosis/prognosis and remedial course of action, is speaking a language that is at best hard to recognize, let alone understand, for even the most medically informed layman. This writer has experienced this scenario several times over with family members. Were it not for my wife herself being a healthcare professional (RN/NP), I and my family would have been lost. Not only did I/we not understand the specifics beyond just the periphery; but also, and perhaps more importantly, I/we possessed neither the basis nor foundation to constructively push back and provoke an engaging dialogue to collectively pursue and ensure best outcome.
With the benefit of my wife’s advisory leadership, I/we were able to ask thoughtful and informed questions to test the thesis presented, explore all contingencies in depth and jointly cement the agreed to path forward. The doctors too understood that my wife’s strident advocacy was well placed and well-intentioned. Rather than inferring that some sort of lack of trust was driving our pursuit, they appreciated that it was our responsibility, as stewards of our family member patient’s best interests, to fully/jointly examine the (medical) case so that we might collectively determine the best course of action.
Without an informed line of questioning with which to engage and constructively push back, we essentially ‘just throw our hands up’ with an ‘OK, whatever you say . . .’ response.
Similarly. . . Absent the benefit of tapping in to third party cybersecurity expertise, this is exactly where Boards are in their exposure. Listening to their respective CXO teams brief them in on various corporate digital security gaps and threats can be unsettling, daunting, disconcerting. .. not to mention leave Directors feeling quietly vulnerable, exposed, exasperated, sheepish. This is all relatively new stuff, and so entirely understandable.
No doubt, our referenced doctor is very likely tracking on correct course. But a richer, deeper give-and take two-way dialogue can only reinforce and ensure the best possible outcome. We’re better for it, the doctor is better for it . . . and our family member patient is better for it.
Similarly. . . In engaging on-call cybersecurity advisory expertise, Boards are better able to test the thesis presented by their CXO leadership, explore all contingencies in depth and jointly cement the agreed to path forward. Indeed it is their responsibility, as stewards of their company’s shareholders’ and employees’ best interests, to fully examine the actual and potential forensics so that the CXO-Board leadership tandem might collectively determine the best course of action.
As we’ve previously discussed, all diligent and engaged Board Members are wired to understand and excel at financial and reputational risk oversight and mitigation. Many/most by now ‘get the digital thing’, in terms of a new and pervasive threat vector they must now figure in to their calculus. And so Boards are standing on the precipice of taking the proverbial leap to fundamentally ‘working’ digital risk mitigation as a core fiduciary responsibility.
So why not do some regular outreach to get smarter? This is still a young, ‘new frontier’ (aka “Wild West”) environment . . . Abundant information overflow with a whole lot of unconnected-nonconnected-disconnected dots; where no one person is remotely near to having all the right answers.
Net net . . . In seeking and gaining a more informed position for constructive pushback on the prevailing cybersecurity matters of today (and months/years ahead) for purposes of lively discourse and engaged debate, the Board benefits, CXO leadership benefits, and most urgently . . . the company’s risk mitigation stance, and thus its competitive position, benefits.
Editorial note. . . This cyber headhunter is collaborating with a wide number of cyber thought leaders in various advisory initiatives. Our next commentary piece will feature a cybersecurity advisory briefing to Boards, as put forth by one particularly sought-after veteran digital security officer. First, a case study survey of corporate cyber forensics (some known, some not widely known . . . but all fairly shocking), and associated review of the respective company Boards’ implicit responsibilities as pertains. Next, a simple but effective and easily accessible 3-step plan for Boards to implement, which will enhance and dynamically maintain their cybersecurity engagement. Details to follow .. .