The Board needs to take an elevated view on cybersecurity, looking for cross-functional governance matters beyond the mere technical horizon
As I was looking back at the role of the Board around cybersecurity oversight in the context of this recent report from Diligent and BitSight, I was shocked to see the number of vendor-led or vendor-sponsored articles I was coming across, and the shallow nature of their argument.
At high level, all revolved around the same logic:
- Cyber-attacks can take your business down.
- Therefore, cybersecurity needs to be on the Board’s agenda.
- My product is key to preventing cyber-attacks.
- Therefore, the problem it solves needs to be raised at Board level.
This is flawed at a number of levels and simplistic in its views of the way corporate governance operates.
First of all, I don’t think it makes sense anymore to remind Board members of the relevance of cyber-attacks and their potential impact on business. The non-stop avalanche of security breaches we have been witnessing over the past decade across all industry sectors has opened their eyes on the matter, and quite often the “when-not-if” paradigm around cyber-attacks has taken root.
Cybersecurity is on the Board’s agenda in many firms, rarely as a fixed item admittedly, but I think you would struggle to find a Board member somewhere who would openly admit that they don’t care about it. And I would go as far as saying that – in my opinion – it would border on negligence for independent directors to take that view.
Second, a single line of defence, focused on one technical tool or area, is unlikely to be what the Board needs – or wants – to hear. The Board needs to take an elevated view on cybesecurity, looking for cross-functional governance matters beyond the mere technical horizon, because that is generally where large firms struggle and where gaps in protection can appear for cyber criminals to exploit.
The security of a global supply chain, for example, goes way beyond buying some tool: Deploying any tool of that sort across the depth and breadth of a global enterprise and making effective and efficient us of it globally will always require a number of stakeholders to work together cohesively; that in turn requires a management and governance culture, and incentives, that align with those objectives. Those are the areas where the Board’s attention should be focused.
So why are security vendors so obsessed with Board-level attention for their products or the problem they solve?
They probably think that it is where big money decisions are made.
It is rarely the case for the topics we are talking about in my experience. Large organisations are bound by a degree of trust at that level. Global CIOs, for example, have very significant signing limits is many large firms, sufficient to cover most of those items.
It could reflect the agenda of tech-driven CISOs trying to push their pet products through their pet vendors.
It could also reflect the fact that many of those articles are in fact written by content writers (with or without the help of some AI), and not by the people whose name appear at the top.
In all cases, all this highlights a limited understanding on how corporate governance really works and simply embodies the bottom-up approaches that have been failing for over twenty years around cybersecurity.
The Board’s attention should be drawn to defence-in-depth principles, more than single line items: Vulnerability management or security awareness, for example, are not the alpha or the omega of cybersecurity. They are building blocks in the multi-layered construction that is required to protect the firm as a whole.
Pretending otherwise is just misleading
About the Author
JC Gaillard is the author of “The Cybersecurity Leadership Handbook for the CISO and the CEO” and “The Cybersecurity Spiral of Failure“; he is a leading strategic advisor and a globally-recognised cybersecurity thought-leader, founder and CEO of Corix Partners and Fellow of the Chartered Institute of Information Security the UK.
