Question: Why’s there an empty seat at the boardroom table?
Answer: Because the Chief Information Security Officer (CISO) isn’t there.
It’s not a joke, but that’s the punchline. For whatever reasons, cybersecurity experts have been out of the room. They’ve been in the shadows, hunkered down in the basement, doing the grunt work of keeping businesses from going belly-up from data breaches, making sure that software businesses can actually sell their stuff.
The reason software makers can sell to such customers is because they’re SOC2 compliant. That means that somebody filled out the questionnaires. Somebody set the business on the road to moving through the Federal Risk and Authorization Management Program (FedRAMP). Here at Contrast, that somebody is the CISO.
That’s important work, and by important, we’re talking about sales: In fact, Contrast, like other software businesses, couldn’t sell squat if that work hadn’t been done, according to Contrast CISO David Lindner, who highlighted the Securities and Exchange Commission’s (SEC’s) new requirements for cybersecurity knowledge in his March 24 CISO Insight column. Lindner noted that cybersecurity “is no longer just a CISO or CIO problem.” It is, rather, “a business problem,” and that means that updating the board every year or so just won’t cut it. “It’s time for cybersecurity to be a topic of conversation at every board meeting," Lindner stressed.
As it is, Lindner hasn’t been at a board meeting since Log4j hit in December 2021. At the time, he showed the board three slides. The board asked good questions, but it was over in a flash. All told, it took about 5 minutes.
Doesn’t sound quite right, does it? That’s 5 minutes devoted to hearing from the company’s cybersecurity expert about a flaw that enabled hackers to launch over 840,000 attacks within days of its discovery.
But change is on the way, in the form of a new rule from the SEC — a rule that’s expected to be a huge game changer.
Something’s got to give
Thanks to the new, proposed rule, released in mid-March, we’re finally on the cusp of people with cybersecurity knowledge and skills getting a seat in the boardroom. The rule concerns cyber-risk management, strategy, governance and incident disclosure and shows that the Commission is done dealing with the outfall from companies that have CISO-sized holes in their boardrooms.
Specifically, soon we’ll see required public disclosure of director experience in cybersecurity and risk oversight practices. Just how, exactly, that cybersecurity expertise will be measured is still to be determined, but it seems apparent that, to steal a phrase from Forrester, the era of “paying lip service” to cybersecurity is over.
Forrester predicts that once finalized, the rule will trigger “monumental change in cybersecurity and risk terms, in everything from corporate accountability and reporting structures to financial reporting, not seen since the passage of Sarbanes–Oxley (SOX) in 2002.”
A month before the SEC proposed the rule, Forrester analysts Alla Valente, Jeff Pollard and Cody Scott compared the new rule to the passage of Sarbanes-Oxley (SOX) in 2002: Both the SEC’s new liability rule and SOX were a direct result of “the failures of previous attempts of guidance and recommendations to drive meaningful change,” they contend.
As far as SOX goes, the triggers were massive corporate failures such as Enron and WorldCom that pointed to the need for rules to forestall financial fraud. More recently, stockholders have suffered significantly due to incidents such as the opaque announcements Equifax put out following its 2017 breach, as well as from breach coverups such as the one that former Uber CSO Joseph Sullivan tried to pull off (and for which he was convicted in October 2022).
The SEC rule heralds the dawn of what some call the liability regime, where liability for cyber risk will be transferred to the software industry, where companies will be required to have cybersecurity skills on board and where repercussions could even lead to clawback of executive bonuses.
Not necessarily a bad thing for cybersecurity efforts, Forrester muses, given that it “should make building cybersecurity business cases to justify investments quite a bit easier.”
90% of boards not even close to ready
This is what the new SEC rule requires of companies:
- Director expertise: Companies are required to include board directors’ cybersecurity experiences and résumés in public disclosures, such as Forms 10-K and 8-K.
- Cybersecurity risk oversight practices: Companies must disclose governance methods and risk analysis and management processes in SEC filings.
- Details on cyber incidents: Companies must publicly disclose individual incidents deemed “material” — or clusters of small incidents that combine to create a material incident — to the SEC within four days of determining that such a situation has occurred.
According to Brian Walker, a member of the Forbes Technology Council, analysis shows that only 51% of Fortune 100 companies have a director on their boards with relevant cybersecurity experience. It’s even worse at the Fortune 200 and 500 level, where only 9% have cyber-savvy directors, he says, and it gets worse still when you go smaller: “[When it comes to] the companies in the Russell 3000 smaller than those in the Fortune 500 … only 8% have cyber directors. There is a total shortage of 2,724 directors with cybersecurity expertise across all Russell 3000 companies.”
In fact, an analysis of board-level expertise based on publicly available data shows that up to 90% of companies in the Russell 3000 “lack even a single director with the necessary cyber expertise.”
‘It’s all over the damn place’
Where are all the CISOs in this picture? Not on the board, that’s for sure. In fact, Lindner says, the typical CISO and whom they report to is “all over the damn place,” he says.
“It's the CIO. It's the [Chief Financial Officer, or CFO] for me, it's the [Chief Product Officer, or CPO], sometimes it’s the CEO. Some of it's to the board directly, some of it's that there’s a dotted line all over the place,” Lindner says.
The reality is that the CISO doesn't “fit anywhere specific,” Lindner says. But they shouldn’t just be “reporting” to the board anyway, he says. Rather, they should be “normal participants” in board meetings.
But it’s starting to change. Lindner will be presenting to the board at least twice a year going forward, he says. That’s something. “It should be more,” he says, but a CISO is “continually fighting” that fight.
Perhaps it wouldn’t be such a fight if there were a specific security person on the board. “I'm not saying it's not on their mind, but it's not something that comes up in normal conversations in their meetings, right?” Lindner says. “They're talking about products and finances and all that stuff. But the reality is, is that without your security, and [cybersecurity directors] providing the things that you know … we would sell sh*t.
“You know, the security questionnaires and SOC2 compliance and now moving through FedRAMP, it's a business thing. It's not a cost center. It's used to accelerate sales.
“If we didn't have our SOC2, I can't even imagine how much that would add to not only the sales cycle, but we wouldn't sell to certain customers at all without it. And the only way to get your SOC to Type 2 is to have your ships in a row and your ducks in line and make sure that you're doing the things you say you're doing from a security, privacy, confidentiality, integrity and availability aspect.”
What do you tell a board in 5 minutes?
This is clearly the time for companies to take a hard look at their boards and figure out what changes need to be made. There’s good advice — here’s some from Forbes — out there on how to talk cybersecurity to a board and get them invested.
Lindner also has advice. When he most recently presented to the board — following Log4shell in December 2021 — he showed three slides. He focused on number three, which discussed key performance indicators (KPIs).
Metrics are important to show the success of the security work that’s being done. He called out that importance in his March 24 CISO Insights column, where he iterated his top three measurements to determine the success of Contrast’s security program. Namely:
- Mean Time to Remediate (MTTR)
- Vulnerability Escape Rate (VER)
- Number of attacks detected
One problem: Nobody has time to measure. As it is, security teams are “always, always fighting fires,” Lindner says.
Do we need a moral to this story? Maybe it’s “Be kind to your CISO.” As it is, they seem to be quitting at an alarming rate, and now is not the time to lose cybersecurity know-how.
As the SEC has made clear, now is the time to be listening to cybersecurity experts more carefully than ever.