The top-tier companies listed in the U.S. often lack board directors with hands-on experience in cybersecurity, raising questions about the corporate approach to handling cyber threats.
When examining the composition of boards within the S&P 500, a whopping 88% were found to be without a cybersecurity specialist in their directorship. The study discovered that a mere seven firms boasted of having a present or former Chief Information Security Officer (CISO) as a board member, and interestingly, in two instances, it was the same individual.
“I continue to be taken aback by the slow pace of change in boardrooms,” remarked Dave DeWalt, the head honcho and founder of the venture capital firm NightDragon. DeWalt, who also holds board positions at Delta Air Lines and Five9, was part of this enlightening research spearheaded by NightDragon in collaboration with the Diligent Institute, a research offshoot of executive software powerhouse, Diligent. The findings were unveiled this Thursday.
For this research, cyber expertise was characterized as professionals who either currently occupy or have previously held CISO positions, individuals in top-tier tech roles (not strictly cyber-centric), and those with tech backgrounds sans high-ranking roles.
A closer look revealed that about half (52%) of the firms had a director with some tech background related to cybersecurity. This bracket included those affiliated with cyber firms or associated with professional bodies in the cybersecurity domain.
According to Emily Heath of VC firm Cyberstarts, having board members well-versed in cyber matters is now imperative for sound governance. Heath, with a past role as the security head at giants like United Airlines and DocuSign, currently sits on the boards of Wiz and Gen Digital.
“Board members, in their supervisory capacities, must ensure risks, including cyber threats, are aptly addressed,” Heath emphasized, adding the importance of possessing cyber expertise to ask the right questions.
Echoing these sentiments, a study by The Wall Street Journal in late 2022 found that of the 4,621 board directors across S&P 500 entities, only 86 had meaningful cybersecurity exposure in the past decade.
Earlier proposals by the U.S. Securities and Exchange Commission had pushed for mandatory disclosures regarding board members with cyber expertise. However, this suggestion was not included in the finalized rules introduced on September 5.
Myrna Soto, the brains behind consulting giant Apogee Executive Advisors, highlights the inherent challenge of securing suitable board candidates, given that cybersecurity is a niche and complex domain. Plus, the recent trend of inducting cybersecurity leaders into top executive roles means many lack the broader business insight vital for board positions.
Soto, serving as a director at conglomerates like Spirit Airlines, Popular, and TriNet Group, noted that board discussions on cybersecurity are usually short-lived, as other topics vie for attention. Therefore, any cyber specialist on the board must be versatile enough to contribute to a wider range of discussions.
“Boardroom candidates with cybersecurity expertise need to be holistic business thinkers,” she underlined.
NightDragon’s DeWalt believes addressing this discrepancy demands concerted efforts from both boardrooms and cybersecurity professionals. While security leaders need to broaden their business understanding, companies should promote CISOs to genuine C-suite roles, and boards must deepen their grasp of cyber-related issues.
“I’m eager to see ongoing training mandates for boardroom members in cyber literacy,” he voiced.