The Securities & Exchange Commission (SEC) is expected to soon finalize new public company cybersecurity rules that have CISOs “filling out their resumes,” The Wall Street Journal reports, in the hopes of ascending to seats on boards of directors.
The SEC proposed version of the rules would require regulated companies to disclose:
>>“The board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk” and
>>”If any member of the registrant’s board of directors has expertise in cybersecurity”
A big opportunity, for sure. A recent survey by The CAP Group found that 90% of Russell 3000 companies lack a single board director with cybersecurity expertise.
But hold on, CISOs. Research from the same researchers on CISO Board Readiness found that only 14% of those surveyed had the overall requirements that board recruiters look for besides infosec expertise, such as:
>>”Ability to Scale”
We Have a Board-Readiness Plan for You
While education and diversity are out of our scope, we have a solid plan for you to start your journey to a directorship by learning to think like a director and present yourself in reporting to your board as a business personality with cross-functional expertise and ability to scale.
James Lam, a noted authority on board governance and a member of the RiskLens board of directors, gave a talk on Critical Do’s and Don’ts of Cyber Risk Board Reporting at the 2022 FAIR Conference hosted by the FAIR Institute (RiskLens is a sponsor).
Here are some of his points, each one backed up by actions you can take by implementing Factor Analysis of Information Risk and leveraging RiskLens’ FAIR expertise.
Discuss cyber risk in terms of strategic objectives and business opportunities.
With FAIR quantitative risk analysis, you can assess cybersecurity projects and programs in terms of cost/benefit analysis for risk reduction – essentially the language for any sort of strategic decision-making.
Quantify risk in financial terms and particularly relate it to risk appetite.
An important element of guidance that the board hands down to management is risk appetite. RiskLens offers a step-by-step approach to set a risk appetite by identifying and quantifying critical loss exposure scenarios. Once risk appetite is set, the RiskLens SaaS platform gauges all new security initiative against it.
Compare risk and performance to industry average benchmarks.
“Directors always do that” across a range of metrics (financial performance, executive compensation, etc.) and cybersecurity management should follow that lead, Lam said. The RiskLens My Cyber Risk Benchmark tool is a handy way to get a quick read on your organization’s risk exposure compared to like organizations.
Support the board’s risk governance and oversight roles.
Going back to the aforementioned SEC proposed rules: Directors would be legally required to oversee the organization’s cybersecurity risk management strategy, including disclosure of recent and past cyber events of material impact. Without risk quantification in financial terms (the basic deliverable of FAIR and RiskLens risk analysis) directors couldn’t fulfill that duty – and CISOs need to keep that constantly in mind in managing and reporting on risk.
We can’t guarantee a board seat is in your future if you start here. But we feel confident you’ll be ahead of the competition, still stuck in a narrow technical lane. As the Wall Street Journal quoted one aspiring board candidate, “Not all CISOs can translate a cyberattack to financial, sales and product-distribution risks and then help prioritize how to respond.” For sure, with RiskLens and FAIR, you’ll hit that mark.
Executive Board Reporting, a new service from RiskLens, provides customized, quarterly cyber risk reports in non-technical, business-friendly formats suitable for presentation to the board, executive leadership, and other critical stakeholders.