Many corporate boards have made significant progress about understanding the importance of cybersecurity to the competitive health and sustainability of the companies they oversee. They’ve certainly gotten the message that cyber security is not just an IT issue. And, within the portion of board meetings devoted to risk assessment, cyber security is almost always one of the top items on the agenda.
But most board directors have yet to move far enough along to become as effectively equipped as they should be to intelligently gauge the extent to which their firms’ management teams are at the top of their games in the war on corporate cyber-attacks.
I know this firsthand: both from the corporate boards on which I serve and from the boards I advise on business growth and risk-mitigation strategy, especially boards of companies where international transactions are important to their lifeblood—hardly a unique characteristic of many firms in today’s global economic ecosystem in which all of us make decisions one way or another.
The bald fact is that many board members are intimidated to ask the members of their C-suite executive teams who are most centrally responsible for cyber security—usually chief information security officers (CISOs)—all but the most general technical questions. And even then, the issues that board directors raise with the C-suite almost always focus on the magnitude of the problem and the degree to which the CISOs believe they have existing threats contained.
And, for the CISOs, they tend to have an incentive to give briefings to their boards about cyber security in relatively dumbed-down language. It’s been my experience that it is a rare CISO that discusses with his or her board the nitty gritty of the actual solutions their teams have either already rolled out or are contemplating doing so.