JC's Column /

A Look Back at the Role of the Board around Cybersecurity Oversight

JC Gaillard's column on cybersecurity

There is something of a governance malpractice in bringing in a new expert for every problem the Board may encounter

 

I am not sure what to make out of this recent report from Diligent and BitSight.

It is interesting by the size of its sample (in excess of 4,000 organizations world-wide) and its focus on Board oversight, but the bulk of the commentary in the cybersecurity media has been on a possible correlation of its results with total shareholder return (TSR), something that could be challenged, in my opinion.

Some commentators – and the report itself – appear to suggest that it is a higher level of cybersecurity maturity that leads to higher TSR.

My view is that it flows the other way: Good mid to long-term TSR reflects good management; good management encompasses good governance and good risk practices, something that extends naturally to the cybersecurity space. For example, it is not surprising to see in the report that firms with a more structured degree of cyber risk oversight return higher cyber maturity scores (as measured by the Bitsight index); all this forms part of the same trend towards good management practices: Good management – overtime – leads to good security.

In that sense, it is not surprising to see companies with a lesser degree of cybersecurity maturity showing a lesser degree of cyber risk oversight and lesser shareholder returns; it simply reflects poorer management practices across the board, that extend mechanically to the whole way the business is run. As I was writing back in January 2024, “don’t expect cybersecurity to work in firms where nothing does”…

Beyond that, two other aspects in the report have caught my attention:

First of all, I don’t know what to make of the fact that only 12% of firms in the sample appear to exhibit a “basic” cybersecurity level – according to the Bitsight methodology (reflecting a Bitsight score inferior to 640).

The Bitsight methodology is based only on externally available data, so it cannot encompass the full cyber maturity posture of any firm, but it still offers a metric that is broadly relevant and brings comparison points but given the size of the sample (4,000+ world-wide and across industry sectors), 12% felt quite low.

Does it question the structure of the sample? Does it question the 640 threshold which – I assume – is coming from the Bitsight methodology?

As always with those surveys, it is difficult to comment further without access to the full dataset.

More interesting is the fact that only 5% of firms in the sample appear to have cyber experts on their Board, something the report corrects – slightly – based on separate research with NightDragon placing the number at 12% across the S&P500.

The “cybersecurity expert” definition – as disclosed in the methodology – feels totally relevant in the context and does not seem to be the problem (“current or former CISOs; current or former CEOs, CIOs or CTO of a cybersecurity company”), so how to interpret the fact that 9 firms out of 10 appear not to have direct cyber expertise on their board? And is it really a problem?

There is no disputing the fact that Boards are obviously aware of cyber threats, their potential impact on business and the increasing regulatory burden all this is bringing.

Personally, I think there is something of a governance malpractice in bringing in a new expert for every problem the Board may encounter: The Board needs to take an elevated view and hold the executives accountable, and the executives should be expected to have the skills and expertise necessary to run the firm effectively and efficiently.

And I also think that the “when-not-if” paradigm around cyber-attacks means that cyber risk can no longer be seen as an “hypothetical matter” and is challenging the idea that cybersecurity oversight could be delegated to the Audit and Risk Committee or to one of its sub-committees.

As I was writing back in August 2022, good cybersecurity is no longer a plain matter of risk management: It is “quite simply good business; it protects the firm and its customers and builds resilience; supporting it and promoting it has now become a plain matter of good leadership”.

That’s the view the Board needs to take, and it requires its direct involvement and in its own terms.

 

JC Gaillard

Founder & CEO

Corix Partners

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.