A monstrous rogue wave of regulation will soon hit the boardrooms of every publicly traded company in America. Those who catch it, could be in for the ride of their lives. Those who don’t, may find themselves standing in the backwash wondering what hit them. This post is about riding that wave to a better and brighter future for your company.
Every CEO and Chairman of a publicly traded U.S. company should be aware of Senate Bill S.536 – Cybersecurity Disclosure Act of 2017 intended “to promote transparency in the oversight of cybersecurity risks at publicly traded companies”. The details of the bill first introduced on March 7, 2017 don’t matter nearly as much as the dreaded “T word” (transparency) contained in its introduction.
Like it or not…for better or worse…the federal government will demand increasing degrees of transparency regarding the oversight of cybersecurity risks within publicly traded companies. Why? Because they correctly (in my opinion) perceive such risks to be a matter of national security in far too many cases. Bummer. Before shooting the messenger, please know as King-for-a-Day, I would abolish 80% of the federal regulations before my first White House luncheon, but not this one should it become law.
A brief dive into the weeds of this bill reveals something all publicly traded company board members should be aware of. Section 2(b)(1) within S.536 says:
“to disclose whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience”
Meaning, our beloved Uncle Sam with both his and our best interests at heart, is fast coming to believe proper cybersecurity risk mitigation requires board level expertise. Uncle believes this so fervently he’s determined to make it a legal requirement. And I for one believe he will succeed…and hope he does. However, that is not why I support the spirit and intent of Senate Bill S.536.
I believe there should be a seat on every publicly traded company’s board occupied by an outside, independent and currently active cyber security executive. Why? Because a primary purpose of any board of directors is to mitigate risk and cybersecurity represents a significant (and increasing) risk to every company. No exceptions. Boards that minimize or ignore this fact assume risks that should be unacceptable to shareholders and will soon be unacceptable to regulators.
Mine is not a gloomy forecast, however. Companies stand to benefit greatly by being proactive in securing a top-flight cybersecurity executive for their board. Those who wait and see will see their candidate pool diminish quickly. The bigger the company, the bigger this problem becomes. A Fortune 100 firm should be seeking someone from a non-competing firm of similar or greater size. The viable candidate pool for such a firm is already very limited. There’s much to lose by waiting and much to gain by acting before the government forces you to.
I further believe that adding a cybersecurity executive (a.k.a. CISO) to the board should be the single most cost-effective risk mitigation move any company can take. In the short run, the company may need to create an additional seat for the CISO. Over time, however, the board should be reconstituted and could revert to its original number of seats. By simply not replacing the next member set to roll off the board, the cost of the new CISO seat is nil. Keep in mind, many CISOs (particularly those in larger firms) bring much more than cyber security expertise to the table.
What would be the primary responsibilities of a CISO board member?
- Provide strategic oversight of the firm’s cybersecurity function
- Collaborate with and provide guidance to firm’s cybersecurity leader
- Explore ways to leverage firm’s cybersecurity expertise by crafting and promoting a Unique Security Selling Proposition (USSP)™
Firms searching for a CISO board member should look for someone:
- Outside the firm, because it’s too important to leave all cybersecurity risk in the hands of any single insider
- Independent from all other board members and executives
- Cannot be referred by anyone within the firm
- Free to tell board what they need to know, particularly when they don’t want to hear it
- Currently acting in the top cybersecurity executive role within a non-competing firm of similar size as measured by number of employees (cybersecurity risk is more closely correlated to number of employees than revenue)
I’m tempted to add “battle-tested major breach experience” to the above list, but that would unfairly punish candidates who have done an exemplary job of avoiding major breaches. The challenge lies in determining if such candidates are very good at their jobs or just very lucky. Such challenges and the need for absolute independence from all fellow members and executives is among the many reasons to consider hiring a firm specializing in cybersecurity executive board member searches…a firm like Ambassador Solutions.
But wait, let’s flip the script before starting that search. Every public company should encourage their top cybersecurity executive to be on at least one board of a non-competing company of similar size. The experience gained by doing so could prove invaluable to his/her employer. And please, don’t force your CISO to burn PTO days while getting an invaluable education at another company’s expense. If you feel you must, have your CISO attend one less industry conference in exchange for the four days per year board duties will likely require. Now that’s a tremendous value proposition, don’t you think?
Speaking of tremendous value propositions, you will be very pleased with ours. To schedule a 15 minute CISO search discovery call, Contact us today to catch the wave tomorrow!