Talking Security Strategy: Cybersecurity Has a Seat at the Boardroom Table

Pending new SEC rules reinforce how integral cybersecurity is to modern business operations, and will help close the gap between security teams and those making policy decisions.

Christopher Hetner, Chair, Panzura Customer Security Advisory Council

May 17, 2023

5 Min Read
a photo of an empty conference room.
Source: Stephen Barnes Norther Ireland via Alamy Stock Photo

Cybersecurity is no longer a fringe issue for businesses. What was once a siloed function, there out of necessity more than anything, is now woven into the fabric of any successful business. Any business still treating its cybersecurity initiatives as a side project is setting itself up to fail.

The Security and Exchange Commission (SEC) has laid to rest any doubts about the importance of cybersecurity with new regulations around how boards of directors should approach it. The regulations, which are in the process of being finalized, will require companies to openly report any serious cybersecurity attack and explain who on their board is responsible for dealing with it. The regulations also will require businesses to include board of directors' cybersecurity experience and credentials as part of any public disclosure. This is yet another indication of how integral cybersecurity is becoming to modern business operations.

Growing Downtime Costs

In 2021, more than two-thirds (66%) of businesses were hit by a ransomware attack, according to a survey by Sophos. That's a 78% increase from the previous year, with damages incurred totaling costs of around $20 billion. These costs aren't just down to ransom payments, but also include the downtime and disruption targeted businesses endure. In the Information Technology Industry Council's Hourly Cost of Downtime Survey, more than 40% of companies reported that hourly downtime costs ranged from $1 million to $5 million USD, not including any legal fees, fines, or penalties — which publicly traded companies who fall short of cybersecurity standards can be subject to.

The evolving threat landscape — combined with new regulatory frameworks like that put forward by the SEC — means that cybersecurity cannot be an afterthought or a bolt-on. It must be core to business operations, and that means it needs a seat at the boardroom table. However, according to a recent analysis of data by the CAP Group, 90% of boards are not ready for the new SEC cyber regulations.

Failure to Prepare Is Preparing to Fail

The cybersecurity ecosystem has progressed in leaps and bounds in recent years. Once a siloed function of business, using reactionary tactics to chase down and isolate threats, it now has a proactive, networkwide presence that often leverages threat intelligence, penetration testing, and AI to bolster cyber resilience. However, most cybersecurity teams are still heavily focused on addressing technical-level threats, which are then used to inform security policy and mitigate risk. This leaves a gap of understanding between security teams and those authoring policies and making decisions higher up the chain.

This gap is a vulnerability. Most cybersecurity teams lack the tools or functionality needed to contextualize threats in a way that can be acted upon by other business, operational, and financial personnel. If this "disconnect" between business objectives and cyber resiliency continues, businesses will leave themselves exposed regardless of how thorough their cybersecurity initiatives are. 

Closing the Communication Gap

It's the responsibility of chief information and security officers to evaluate threats and understand to what extent they might threaten their organization, so that action can be taken in line with new security regulations. This means that threats need to be contextualized and communicated as part of an overall enterprise risk management strategy involving finance, compliance, operational, and management teams, as well as board members. 

To achieve this, CISOs will need to step out of their technical jargon comfort zone and communicate threats and their potential impact to other C-suite executives in a way that can be easily interpreted and understood.

This will mean evolving security initiatives into broader risk-mitigation initiatives. Machine learning-powered risk mitigation can play a significant role in helping businesses contextualize cyber threats. By analyzing large volumes of data and detecting patterns that may not be immediately visible to human analysts, machine learning algorithms can identify potential security threats so that businesses can take proactive measures to deal with them.

For example, machine learning algorithms can analyze user behavior data to identify patterns that deviate from normal usage patterns, such as repeated failed login attempts or access attempts from unusual locations or devices. By identifying these anomalies, businesses can take proactive measures to identify a potential attack, such as locking user accounts or implementing additional authentication measures. 

Another area where machine learning can be useful in the context of cyber-threat mitigation is in predicting the likelihood of future attacks. By analyzing historical attack data and identifying common characteristics of successful attacks, algorithms can identify potential attack vectors and help businesses prioritize their security efforts accordingly. This might involve analyzing patterns in the frequency and severity of attacks, as well as the methods and techniques used by attackers. This information can then be used to develop predictive models that can help businesses anticipate future threats and take measures to not only mitigate them, but identify and communicate about them with those at the top.

It's vital that publicly traded companies have a firm understanding of their risk posture and vulnerability. With directors now being held responsible for their company's cybersecurity infrastructure, it's even more vital that director-level teams can quickly and easily understand this vulnerability and any potential breaches. This can be achieved through a combination of new, machine learning-powered solutions, advisory hires that can "translate" and parse the potential fallout of threats, and CISOs taking a more consultative and advisory approach in how they deal with cyber threat resilience.

Cybersecurity is no longer a fringe issue — it has a seat at the boardroom table, and if businesses can't fill that seat, they need to make sure the person sitting there is as well-informed as possible. 

About the Author(s)

Christopher Hetner

Chair, Panzura Customer Security Advisory Council

With over 25 years of experience as a cybersecurity expert, Chris Hetner is recognized for raising cyber-risk to the C-suite and board level to protect industries, infrastructures, and economies worldwide. He served as the Senior Cybersecurity Advisor to the Chair of the United States Securities and Exchange Commission and as Head of Cybersecurity for the Office of Compliance Inspections and Examination at the SEC. Currently, Chris is Chair of Panzura’s Customer Security Advisory Council, which provides education and awareness around data resiliency with a mission of advancing business, operational, and financial alignment to cybersecurity risk governance. Additionally, he is a Special Advisor for Cyber Risk to the National Association of Corporate Directors, Chair of Cybersecurity and Privacy of Nasdaq Insight Council, and a Member of the Board of Directors at TCIG.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights