Cyber Security Board Member and Cyber Security Advisor
Joseph Steinberg serves as a cyber security board member and/or advisor for companies and organizations around the world, helping his clients comply with oversight requirements, maintain and improve information security, and become more successful in general.
As a cybersecurity board member and cyber-governance expert, Steinberg, who authored the official textbook used by many CISOs to study for advanced certification in cybersecurity-management, helps boards understand and oversee cyber-risk management, approve (or reject) cybersecurity policies, and verify regulatory compliance. Steinberg has a long history of successfully helping business leaders both to identify cyber risks and to understand how such risks may impact their businesses’ operations or otherwise create significant exposures – both of which have become essential elements of knowledge at the board level.
Cyber Security Board Member: Expert Guidance in Cyber Risk Management
Steinberg also advises management vis-à-vis what cybersecurity technology can and cannot reasonably achieve in terms of addressing pertinent risks, and, when serving as an advisor to senior management, provides executives with an impartial, trusted, and expert opinion on current and planned cybersecurity initiatives, as well as regarding organizational cybersecurity posture and maturity, such as helping executives better prepare their organizations to address a potential future cyber incident. As a cyber security board member and a cyber security advisor, Steinberg also helps leadership craft cybersecurity policies, and helps management communicate such policies and other cyber-security related matters to their teams in a clear, concise, and simple-to-understand fashion.
Cyber Security Board Member: Expert Advisor for CEOs and Startups
In addition to serving as both a cybersecurity board member and as a cyber security advisor to CEOs and other senior management personnel, Steinberg also serves a cyber security advisor to founders and others working at startups and other earlier-stage companies that are seeking to rapidly grow. By leveraging his decades of experience as an executive in the cybersecurity field, Steinberg is able to provide valuable guidance on matters related to the cybersecurity industry and on successfully operating a business within the cybersecurity industry. He leverages his robust network, built during his nearly 30-year professional career and in academic environments beforehand, as well as during his decade as a media personality, to make relevant, strategic introductions – helping to jumpstart revenue growth, to build and nurture partnerships, and to improve media attention and coverage. Steinberg also helps clients develop their brand and establish reputations as known players in their respective submarkets of the cybersecurity industry. Of course, as a well-known cyber security consultant and cyber security advisor, Steinberg also offers cybersecurity-related subject-matter advice, including helping cyber security product companies to improve their offerings.
Cyber Security Advisor with Decades of Leadership and Consulting Experience
Steinberg brings decades of experience having led cybersecurity companies and units within them, having served in leadership positions in other technology companies, and having served as a cybersecurity consultant for many years.
Steinberg presently serves on the advisory board of the largest dedicated research firm in the industry, as a Senior Policy Analyst at the Global Foundation for Cyber Studies and Research think tank, as the leader of the cybersecurity group at Newsweek’s Expert Forum, and as the Managing Editor of Cyber Insights Magazine (a digital magazine dedicated to helping policymakers and other leaders stay informed about contemporary cyber-related issues and their potential ramifications, from the perspectives of policy, practice, and technology). Steinberg also presently serves on the Cybersecurity Council of CompTIA, the world’s largest technology trade association and its second-largest related certifying body.
From Zero to Millions: How a Cyber Security Board Member Accelerated Revenue Growth
As a cyber security board member and/or cyber security advisor, Steinberg has helped overseas companies involved in the cybersecurity business and related areas establish and build successful US operations, including helping a zero-US-based-revenue startup quickly achieve multi-million-dollar-per-quarter traction in the North American market. Likewise, he has helped one of the largest technology training companies in the world expand its reach to a global audience.
As a cybersecurity expert with a proven business track record, Joseph Steinberg can help your cybersecurity or other technology firm grow and succeed; with his knowledge of cyber security and related disciplines, and his expertise in communicating at the Board level, he can help your other Directors ensure that your firm and its management properly address cybersecurity-related risks as required – perhaps even preventing a catastrophic cyber-disaster before it happens.
Cyber Security Board Member FAQ
What does a cybersecurity board member do?
As fiduciaries, corporate Boards of Directors are tasked with ensuring that their respective firms’ management teams have implemented proper plans to ensure that their respective businesses are adequately resilient. When it comes to cyber-risk, this means, for example, that corporate boards must ensure that their respective businesses are sufficiently resilient in the event that the businesses face cyberattacks – an occurrence, that is, over time, not only likely to happen, but, essentially, inevitable. Board and their members must ensure that any exposures remaining (after resilience is established in whatever way it is) are limited to known, acceptable, and manageable risk levels.
A corporate board cannot, however, reasonably claim to be properly overseeing cybersecurity risk, holding its management team accountable for managing cybersecurity, and complying with regulations and other legal requirements to do both, if none of the members of the board truly understand how to do any of the aforementioned functions and tasks.
As such, just as corporate boards must have the relevant expertise among their members in order to ensure that senior management is properly managing operational, compliance, and financial risks, boards must also include Directors with cybersecurity backgrounds who are well versed in the management of cyber risks.
What are the responsibilities of a cyber security board member?
In addition to their general fiduciary responsibilities as members of a corporate board, board members with cybersecurity experience are expected to help guide the rest of the members of the board vis-à-vis the many aspects of overseeing the management of cybersecurity risk.
On that note, it is important to understand that Boards are tasked with overseeing the management of risk – that is, ensuring that their respective businesses’ senior management teams have properly implemented appropriate risk management plans – boards are not tasked with performing the actual risk management, nor should they engage in doing so.
That said, because on the cybersecurity discipline’s newness, and because most of today’s corporate boards lack members who possess adequate relevant skillsets and experience, it is not uncommon to find directors dedicating considerable amounts of time to discussing cybersecurity matters that should be handled by their business’s CISO or equivalent. Such a phenomenon can result in severe problems; when boards dedicate time and attention to matters that should remain outside of the Board’s area of focus, they inevitably end up neglecting matters that do, in fact, require their attention.
Joseph Steinberg has noted that he has personally seen board presentations that discuss details of what percentage of employees failed to perform adequately well on various phishing simulations that the respective companies use as training – but the same presentations contained not a single reference to how well the company could withstand a phishing attack, or, in fact, any form of cyberattack. From the perspective of a board member, however, whether 27% or 31% of workers failed a simulated phishing test is not nearly as relevant as how well the company could withstand the damage that could be inflicted by a phishing attack; both figures (27% and 31%) indicate that a phishing attack against the company is likely to ultimately succeed in tricking some of the firms’ team members into performing actions that are of an adverse nature to the organization, so the important question the board needs to answer is: “what damage will occur if a phishing attack occurs, and is that level of damage acceptable?” (Note that this type of question is one that essentially all modern corporate boards need to be able to answer – as there is no modern that can reduce to zero its risk of being compromised by a successful phishing attack.)
Far more important at the board level would have been, for example, to discuss what the damage resulting from a successful phishing attack would look like – in the worst case, most likely case, etc. – and to understand and establish whether the resulting level of damage is below an acceptable threshold of tolerance, and, if not, how the business can best reduce it to such a level.
Additionally, cybersecurity is not just a game of numbers. If the number of employees falling prey to phishing simulations dropped over the course of a year from 100 to just 1, is that truly an indicator of reduced risk? If the 100 people who were tricked during the first year were all entry-level maintenance workers who had no access to systems critical for maintaining corporate operations, but the one person who fell prey to the scam the second year was the CFO who issues wire transfers from his now malware-infected work computer, isn’t the potential damage much greater in year 2?
One way to express this thought on the issue as to on what cybersecurity matters a board should focus (and to what the cybersecurity board member should seek to focus board members’ attention) is “A Director should be asking about systems that are critical to a business’s operations, and what levels of exposure the organization faces if those systems suffer cyberattacks, not about which vulnerabilities are deemed critical by their respective vendors.”
Why is it important to have a cyber security board member?
Corporate boards are increasing being made to bear ultimate responsibility when it comes to cybersecurity; cybersecurity is no longer a technical topic discussed primarily in data centers, it is a critical component of organizational success impacted by every employee. The management of cybersecurity risk is the responsibility of CEOs, and its oversight is the responsibility of Directors – in the same ways that both are responsible for ensuring that the business mitigates against other material risks such as those related to accounting, compliance, and physical dangers.
Of course, even boards that lack the necessary cybersecurity experts usually pay homage to cyber risk, and they regularly back up their lip service by encouraging senior management to allocate steadily increasing budgets for defense against cyber risk. Yet, despite such awareness and commitment, the sad reality is that so many boards still lack the knowledge, experience, and skills to meaningly oversee cybersecurity. Boards nearly always want to do what is right; without members who have the necessary knowledge and experience, however, they often do the equivalent of trying to manage financial risk without understanding even basic accounting, or to treat a health condition without any medical training.
While regulators have been relatively slow to act vis-à-vis the cybersecurity roll of Boards of Directors, government is unquestionably emerging from its slumber. Since 2011, the United States Securities and Exchange Commission (SEC) has required public companies in the United States to “disclose the risk of cyber incidents if they are among the most significant factors that make an investment in the company speculative or risky.” In 2018 and 2023, the SEC expanded its prior “guidance” in multiple ways including by ordering that, at least in cases and in areas in which cyber risks pose material danger to a company’s operations and financial performance, Boards of Directors must disclose to the public about the how the board itself is in overseeing the mitigation of cyber risk. Likewise, the SEC has reinforced its requirements requiring public companies to disclose information about their respective cybersecurity postures – including providing more details regarding both cybersecurity risks that they face and any cyber incidents that they endure. In 2024, similar regulations are likely to be extended to various financial firms, even those that are not publicly held corporations. And, as time continues to pass, the number of entities governed by related regulations, the number of such regulations, and the level of reporting mandated by each of the relevant regulations, are all likely to continue to increase.
Besides the SEC’s actions, corporations must address the reality that other relatively new rules further require Directors to understand the security posture of the organizations they serve; New York State, which hosts the 10th largest economy in the world, now requires entities regulated under its banking authority (which oversees not only banks, but also brokerages, insurance companies, cryptocurrency exchanges, etc.) to both establish and adhere to strict minimum cybersecurity standards and to have their Boards of Directors actively review and approve formal cybersecurity programs that deliver on the aforementioned requirements.
What happens if a corporation does not have a cybersecurity board member?
Not having a cybersecurity board member can lead to disasters.
The deficiency and danger is not always obvious when initially present – but, unfortunately, can become quite obvious after a “cybersecurity incident” occurs; simply put, companies with boards that lack members sufficiently experienced with cybersecurity at a strategic level often end up investing their cybersecurity budgets in suboptimal ways that ultimately yield unacceptable results. Considering that institutional investors often deem the oversight of risk management to be the highest priority responsibility of a Board, and that such investors have demanded increasingly transparent disclosures about board activity in such regard, underperformance by boards in the oversight of an constantly growing risk, with increasingly catastrophic potential consequences, is obviously a serious concern. Government regulators do not take kindly to situations in which boards are not equipped to perform critical risk oversight functions, and shareholders can also sue if fiduciary responsibilities for overseeing cybersecurity risk management are not reasonably met.
Should the cybersecurity board member serve on the board’s audit committee?
If cybersecurity is included within the gamut of internal audit functions, someone with appropriate cybersecurity knowledge and experience should serve on the Board’s audit committee.
What skills should a cyber security advisor possess?
According to the IANS Research report, CISOs as Board Directors, successful Board placements of cybersecurity people disproportionately involve recruiting people with five key traits:
• tenure in cybersecurity
• broad experience
• scale
• advanced education and
• diversity.
Deep information security tenure includes having several years of experience as a CISO or the equivalent in addition to more than 10 years working in cybersecurity. Having broad, cross-functional experience gives cybersecurity board members a comprehensive understanding of how the business works. Global perspectives give them the ability to address organizational complexity. Diverse perspectives help boards identify blind spots. Advanced degrees, certifications, and publications are also of benefit, and can also help boost the credibility of the board.
Additionally, experience serving as a cybersecurity expert witness can provide a board member with a good understanding as to what types of cybersecurity-related actions and inactions can lead to costly lawsuits.
Is it easy to find good cybersecurity board members?
Finding cybersecurity board members who can successfully blend cybersecurity know-how with business acumen is admittingly not an easy task. According to the aforementioned IANS Research report, just 14% of Russell 3000 CISOs have at least four out of the five ideal board candidate traits.
“Board CISOs possess more board traits than the average CISO. The most significant difference is in cross-functional expertise, with 71% of board CISOs possessing this trait versus 32% for the R1000 average.”
– CISOs as Board Directors, CISO Board Readiness Analysis (BY IANS + ARTICO + THE CAP GROUP)
As Joseph Steinberg has written in multiple articles, the type of cybersecurity expert who you want to recruit to your board is someone whose security expertise, paired with their practical business knowledge, allows them to guide discussions to help boards understand the comprehensive nature of cybersecurity risks, from all relevant vantagepoints (technical, business, financial, supply chain, etc.). The cybersecurity board member should be able to explain complex technical concepts, help boards focus on resilience and other appropriate board-level aspects of security, and oversee the management of cybersecurity risk.
How does a cyber security board member protect an organization?
As described above, the cybersecurity board member helps ensure that the Board properly oversees the management of cyber risk. Experience has shown the world that Boards that do not have a member with adequate cybersecurity-related experience, knowledge, and skill often fail to properly manage cyber-risks – thereby exposing both the organization to potentially devastating cyber breaches, and the organizations’ board and management to legal problems from aggrieved shareholders, regulators, or even prosecutors.
Why does a company need a cyber security board member?
Considering that cyber-risk is one of the greatest risks that modern-day corporations face – if not the greatest risk – it is essential that someone at the Board level understand how to oversee the management of that risk.
As noted before, regulators increasingly expect such oversight – and, can now hold Board Members personally responsible if they turn a blind eye to the need for such oversight.