Boardrooms may soon be claiming more false expertise than your trivia team.
Upcoming SEC requirements call for board members who have cybersecurity knowledge. While there will likely be an early shortage of true “experts,” the change poses a long-term opportunity for security pros who want a shareholder seat.
“Boards are probably going to scramble to figure out how [to] make an existing member check the box, whether it’s someone who’s been the CIO or that is overseeing technology, but it’d be great over time if we see opportunities for true security professionals to step in and truly serve in the capacity, because they have the experience and the knowledge,” Erica Wilson, VP, global cybersecurity and privacy risk management at Reinsurance Group of America told a crowd at RSA this month.
Wilson was one of four speakers on a panel discussion that included Andrew Wilder, adjunct professor of cybersecurity at Washington University, Alan Berry, regional VP and CISO at Centene Corp, and Matthew Modica, VP and CISO at BJC HealthCare.
Who needs experts anyway? In March 2022, the SEC proposed mandated reporting of “material” cybersecurity incidents within 4 days and a “disclosure of cybersecurity expertise” on the board. Final regulations are expected soon.
While Succession viewers undoubtedly know that a board oversees a company’s management and strategy, shareholders have increasingly included cyber risk on the priority list, given the consequences of ignoring it. (One example: In November 2022, the FTC ordered the online alcohol marketplace Drizly and its CEO to bolster its security program after alleged failures exposed personal data of over two million customers.)
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“If you don’t have proper cyber experience on your board, and then you do have a breach, then the board is going to be called into question…And that’s going to open up the door for all kinds of lawsuits and other actions,” Berry told the RSA attendees.
Who are the experts anyway? As companies look to turn current board members into cybersecurity experts, courses like NACD’s Cert Certificate in Cyber-Risk Oversight, and groups like the Digital Directors Network offer options to get up to speed.
But like Rome and Ikea bookcases, cybersecurity expertise isn’t built in a day.
“If somebody has been in a whole different specialty their entire career and now they’re a board member, a one-day course is not sufficient to be the expert,” said Berry.
Luckily, an “expert” doesn’t have to be a CISO. For Modica, the important expert qualification is experience in dealing with threats and vulnerabilities, and being able to translate them to non-tech-savvy members of the board.
The panel offered advice for aspiring board members:
- Expand the network. “We’re all professionals, we know each other, we’ve got these networks, you need to go network with the other specialties,” said Berry, citing other verticals’ C-suite members
- Improve your business skills. Modica, for example, went back for his MBA after gaining technical experience.
“Boards are going to be looking for the cyber expert who has the business acumen, who can understand how cyber risk…plays into the full picture, and how to account for cyber throughout decision making,” Wilson said.—BH