Newsweek Op-Ed: Oversight of the Management of Cybersecurity Risks: The Skill Corporate Boards Need, But, So Often, Do Not Have
Despite both a decades-long barrage of media reports of cyberattacks wreaking havoc on the public sector and private sector alike, and despite clear indications from the United States Securities and Exchange Commission (SEC) that corporate boards must be able to oversee the management of cyber-risk by their respective organizations, when to comes to actually delivering on their fiduciary duty as related to cybersecurity, today’s corporate boards often fail to perform as needed and as intended.
It is not hard to explain why corporate boards perform sub-optimally when it comes to the world of cyber-risks – and, in many cases, I am being overly gracious and generous with my use of the word “sub-optimally” to describe board performance – not only is cybersecurity a relative newcomer to the list of major risks confronting businesses – meaning that business leaders in general have far less relevant experience managing cyber risk than they do vis-à-vis most other forms of material risk – but the rapidly changing nature of technology means that new cyber-risks typically emerge and evolve at rates that are orders-of-magnitude faster than do any real-world accounting, legal, or physical risks.
Sadly, the aforementioned factors have produced a situation in which even many boards that believe that they are doing an excellent job overseeing the management of cyber risk are actually failing to deliver as needed – a problem that can easily remain unnoticed until after some serious “cyber incident” inflicts significant damage to the deficient organization.
Today, however, it is possible for corporate boards of directors to ensure that they have members with cybersecurity experience; of course, time and energy should be expended during the recruitment process for potential directors to ensure that any parties under consideration to fill the experience gap vis-à-vis the oversight of cyber-risk management have the right type of cybersecurity experience; simply adding someone to a board because they worked in the cybersecurity field can lead to problematic circumstances, and, ultimately, nasty surprises.
Earlier today, Newsweek published an op-ed that I wrote on this important topic.
To read the piece, please see
on Newsweek.com.