Boards Are Having the Wrong Conversations About Cybersecurity
Do you agree with this opening statement?
Boards that struggle with their role in providing oversight for cybersecurity create a security problem for their organizations. Even though boards say cybersecurity is a priority, they have a long way to go to help their organizations become resilient to cyberattacks. And by not focusing on resilience, boards fail their companies.
I find this article fairly off-base. The authors are missing the forest for the trees. The board, has a necessary policy role, but security is more an operational (i.e., management) responsibility than a strategic one. I think the disconnect isn't the degree to which the board is involved in the security operations, but rather, whether the board has equipped management with the right policy and resources to do the job.
If a board is exercising due care, it will be asking the CEO and auditors to be confirming organizational capabilities regarding security. In my experience, however, that's more the exception than the rule. I don't think, it is a good idea to have board members meet directly CISOs. That would be creating multiple reporting lines, which inevitably lead to the proverbial cracks that facilitate attacks and blunders. It also leads to board members micromanaging management - another disaster.
The line in the article that jumped out at me is that in speaking about board members, "Many former executives were leaders before the current cybersecurity environment" Newsflash: the "cybersecurity environment" changes daily. You will never be able to construct a board (or even senior management) fully versed in the current technology environment. What you want is management nimble enough to create a corporate culture that changes as the landscape changes. You need a board that provides that operational leeway.
As an analogy, these same authors could have made similar statements about individuals and college funds. The average individual is lacking in investment knowledge. The solution isn't trying to bring up everyone's investment capability (as the authors suggest bringing up the security capabilities of the board). It is in teaching individuals how to handle their strategic duties (how to find an investment professional, set financial goals, etc.) so that the person they have managing their money can execute that strategy. What is a surefire disaster is creating a situation where the strategic element is constantly watching of the shoulder of executive/operational element.