Accountability and oversight are the two key reasons why a company’s board exists. Everything that the board does can be subsumed into these two buckets.
It wasn’t long ago that we started seeing the financial function represented by the Chief Financial Officer (CFO) on the board. Prior to that, the CFO or an equivalent would be part of key board meetings but did not have a seat on the board. This evolution was probably because every listed organization needs to publish its financials, which are prepared by the finance function, run by the CFO. If there were any mistake in compiling and filing the financial information, it isn’t the finance function that the authorities would follow up with - it is the board. So, even if the CFO’s presence on the board was not a mandatory requirement, it became a logical and functional requirement (depending on the industry that the organization is functioning in and other parameters).
While the CFO office has managed to get a seat on the board, in most cases, there is another extremely important position that has become a part of almost every large organization on par with the CFO’s position, and that is Chief Information Security Officer (CISO). Portions of the position have existed in previous forms, such as the chief information officer,, data privacy officer or the head of network Ssecurity, but the evolving nature of business, digitization and the never-ending threat of cyber intrusion gave way to the role of the CISO. The question is, should the role of the CISO be treated as that of a technologist who keeps an organization’s digital assets secure, or is there more to the role?
The answer is that a CISO’s role is more than that of a technologist. The CISO brings in strategy that drives the organization’s future, just like the CFO does. A breach has a direct impact on client accounts, on the organization’s stocks and on its brand value. There are plenty of examples where a security breach not only resulted in lawsuits but also an erosion in a company's market and brand value.
This brings us to oversight, the second of the two key roles that a board performs. With members of the board often coming from traditional business, they are often not sufficiently informed about the enormity of cybersecurity. They need a person with them to guide them at every step and that guidance cannot be on-demand – it needs to be a part of the regular board discussions to build corporate strategy.
Effective oversight on matters of cybersecurity requires a seat on the board for the CISO or an equivalent. It helps to integrate cybersecurity in everything that the organization does internally. The CISO’s presence on the board becomes even more important when talking about acquisitions. Are the target organization’s assets and networks secure enough to ensure that a breach on the first day of a merger does not invite a class-action lawsuit? Is user and client data being protected properly? Were any corners cut and security parameters dressed up for an acquisition to go through? Were any data and security breaches brushed under the carpet? The financial due diligence has an equal counterpart, and that is cybersecurity.
The CISO brings not just security expertise to the board, but also a perspective on business strategy that no one else can. Most board members are well-versed with the nuances of finances. They question the various stakeholders about the financial performance of their respective businesses within the organization, but they aren’t equipped to ask questions of similar depth about the cyber readiness of their respective businesses. For instance, a large conglomerate has a major presence in the power sector. Apart from the financial details, is the board aware of the huge threat that connected grids have from a cybersecurity perspective? Is the board getting the outside-in view of how the industry has become a huge network security organization as a power distribution business? Probably not.
In case of a cybersecurity breach at an organization, the primary responsibility of the board comes into play: accountability. The board is eventually accountable for everything that happens in an organization. If the financial performance is stellar, the board is commended, and if there is a negative incident, the board is accountable. But how can a board even quantify the accountability if they don’t have a cybersecurity professional among them? What is the liability that the organization stands to face in case of a cybersecurity breach? The questions are many, but the answer is a simple one – get cybersecurity a seat on the board.