Manage Learn to apply best practices and optimize your operations.

Is a cybersecurity expert necessary on a board of directors?

Communicating cybersecurity issues to a board of directors can be challenging. Expert Mike O. Villegas discusses whether a cybersecurity expert on the board would ease the struggle.

A lot has been said about the difficulties in communicating cybersecurity issues to a board of directors. Now there is a proposed bill that asks companies to disclose whether they have a cybersecurity expert on their board of directors. Should a board of directors include a cybersecurity expert? What background and skills qualify a board member as a cybersecurity expert?

A board of directors is responsible for the overall governance of an organization. This includes making the right decisions to ensure the profitability and well-being of the enterprise. A typical board member is chosen based on skills and experience the board needs to make that happen. Decisions are generally made by consensus and, when necessary, they will call upon subject matter experts to make informed decisions.

Cybersecurity is one of those topics where the board looks to pundits or the CISO to better understand the organization's position on the state of cybersecurity. Admittedly, cybersecurity is a growing concern for this body but, unless it has recently experienced a breach, it has yet to be a topic that takes up the majority of the board's discussions. That does not make cybersecurity any less important. Companies subject to Securities and Exchange Commission regulations are required to include corporate governance and cyber-risks as part of their C-10 filings.

On December 17, 2015, a U.S. Senate bill was introduced that would require publicly traded companies to disclose whether or not they have a cybersecurity expert on the company's board of directors. But is such a member necessary? What skills other than cybersecurity would this board member bring to the table?

If the intent of this bill was to have the CISO be a board member, it would marginalize the CIO position if she were not also allowed on the board. This would also complicate matters if the CISO reported to the CIO. Having two technology board members would further affect the board makeup. Luckily, this is not the intent of the bill.

Overall, enterprises should strongly consider having a cybersecurity expert on their boards; it's important to note that this bill, dubbed the "Cybersecurity Disclosure Act," merely proposes that publicly-traded companies disclose whether any member of the board of directors or general partner has expertise in cybersecurity or, what steps they may be taking to fill that knowledge void.

Any cybersecurity expert on the board of directors should be required to not only have technical and cybersecurity expertise, but also financial, operational and executive level experience. This would include holding cybersecurity certifications and possibly a CPA or MBA.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn the best way to communicate about APTs to the board of directors

Find out what the difference is between an active board and a passive board

Check out these tips for handling a problematic cybersecurity expert on your team

This was last published in October 2016

Dig Deeper on Information security program management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you think cybersecurity experts should be required members of boards of directors? Why or why not?
certainly not, security is just another service to enable and protect the stakeholders' goals. Including Cyber security consultant on board of director is reversing the relationship between stakeholders and IT organisation.
Cobit5 goal cascade should be considered which help map enterprise goals to cyber security requirements that are shaped by cyber security policies and standards for the enterprise.
From my perspective it depends entirely on the company in terms of sector, maturity, size, etc.

An obvious counter-example to "certainly not" is board level leadership of specialist security companies should have a keen understanding of cyber-security issues and how they relate to their business.

I think the point more generally is that far too often communication between the board and the security organisation is inadequate and this situation must change. This is the impression I also got from my days as a consultant.

Whether this could be helped by adding security knowledge to the board, or adding business knowledge to the security organisation, is an open question; I suspect the answer again is "it depends".

One thing is for sure, if the communication is inadequate then adding a security expert to the board is only going to be the tip of the iceberg for what needs to be fixed in order for that situation to be fixed. Likewise, training CISOs to have a deeper understanding of the rest of the business and the board's considerations is only going to be a minute fraction of what is required.
It is the same story for more than 15 years. Supposedly CEO / CFO not understand IT Security and  not interested about safety risks.

If someone bothers owner CEO / CFO / company is still the same problems for 15 years, so such "expert" is doing something wrong.
The software is the result of human work. It is not necessary to know and respect the laws of nature, physics or chemistry.
Weakness, error in program or backdoors are the result of poor human work.
Just set similar rules and responsibility which applies in production, then return the trust from CEO.