Manage Learn to apply best practices and optimize your operations.

Is a cybersecurity expert necessary on a board of directors?

Communicating cybersecurity issues to a board of directors can be challenging. Expert Mike O. Villegas discusses whether a cybersecurity expert on the board would ease the struggle.

A lot has been said about the difficulties in communicating cybersecurity issues to a board of directors. Now there is a proposed bill that asks companies to disclose whether they have a cybersecurity expert on their board of directors. Should a board of directors include a cybersecurity expert? What background and skills qualify a board member as a cybersecurity expert?

A board of directors is responsible for the overall governance of an organization. This includes making the right decisions to ensure the profitability and well-being of the enterprise. A typical board member is chosen based on skills and experience the board needs to make that happen. Decisions are generally made by consensus and, when necessary, they will call upon subject matter experts to make informed decisions.

Cybersecurity is one of those topics where the board looks to pundits or the CISO to better understand the organization's position on the state of cybersecurity. Admittedly, cybersecurity is a growing concern for this body but, unless it has recently experienced a breach, it has yet to be a topic that takes up the majority of the board's discussions. That does not make cybersecurity any less important. Companies subject to Securities and Exchange Commission regulations are required to include corporate governance and cyber-risks as part of their C-10 filings.

On December 17, 2015, a U.S. Senate bill was introduced that would require publicly traded companies to disclose whether or not they have a cybersecurity expert on the company's board of directors. But is such a member necessary? What skills other than cybersecurity would this board member bring to the table?

If the intent of this bill was to have the CISO be a board member, it would marginalize the CIO position if she were not also allowed on the board. This would also complicate matters if the CISO reported to the CIO. Having two technology board members would further affect the board makeup. Luckily, this is not the intent of the bill.

Overall, enterprises should strongly consider having a cybersecurity expert on their boards; it's important to note that this bill, dubbed the "Cybersecurity Disclosure Act," merely proposes that publicly-traded companies disclose whether any member of the board of directors or general partner has expertise in cybersecurity or, what steps they may be taking to fill that knowledge void.

Any cybersecurity expert on the board of directors should be required to not only have technical and cybersecurity expertise, but also financial, operational and executive level experience. This would include holding cybersecurity certifications and possibly a CPA or MBA.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn the best way to communicate about APTs to the board of directors

Find out what the difference is between an active board and a passive board

Check out these tips for handling a problematic cybersecurity expert on your team

This was last published in October 2016

Dig Deeper on Information security program management