French Caldwell, chief evangelist for governance, risk and compliance company at MetricStream, notes a time years ago – when he was a vice president and fellow at Gartner – when boards didn't take much notice of cybersecurity pros. “Now they have them on speed dial,” he says. While that might be a bit of a dated term (don't we dial just about everyone with a single click these days?), you get the idea. Security IT and corporate boards ran in different circles.
For years, pundits and executives have promised that those two worlds would merge in the boardroom, but that never happened, and it mostly seemed like just so much lip service. But that's changed as the CISO's reporting responsibilities have moved further up the chain. “People are now reporting to the CEO, CFO or the chief risk officer,” Gary Hayslip, CISO for the city of San Diego, has said. “Many CISOs are being asked to participate on boards.”
A recent Bay Dynamics study confirms that ascent – and the board's growing focus on cybersecurity. “The survey reveals that boards of directors in larger companies are taking cybersecurity and cyber risk much more seriously than they were just two years ago,” says Michael Osterman, president of Osterman Research. “Board members are increasingly recognizing the critical importance of becoming better educated about cyber-related issues and relying on trusted advisers that can increase their expertise on critical cybersecurity and cyber risk issues.”
John Bruce, CEO, IBM Resilient
French Caldwell, chief evangelist, MetricStream
Michael Osterman, president, Osterman Research
Amjed Saffarini, CEO, CyberVista
Ryan Stolte, founder and CTO, Bay Dynamics
So, what made 2016 different? Certainly, having politicians and political candidates drag cybersecurity into the mainstream (President Obama has made cyber a priority during his term with CNAP, and more recently commanded a report from the Commission on Enhancing National Cybersecurity). Candidates Hillary Clinton and Donald Trump even fielded a question about cybersecurity during one of the presidential debates. Too, endless chatter about Clinton's private email server brought information privacy and protection to the forefront, as well as the prudence of applying enforceable security policies from the top down. Allegations that Russian operatives infiltrated the election process ostensibly to influence its outcome – which an endless stream of leaked emails from Clinton and other entities associated with the Democratic Party seemed to imply – underscored the seriousness of threats to both the public and private sector and drove home the point that there was no time to dawdle in finding remedies.
Boards also simply couldn't ignore the threats that loomed over the companies they govern. “They're definitely more aware, and headline-grabbing breaches have elevated the topic in the minds of all of us,” says Bruce, whose company's “Global Cyber Resilient” study, conducted by the Ponemon Institute, found that 53 percent of respondents had suffered at least one data breach in the past two years.
Given the scope of the breach landscape and with crippling DDoS attacks, insider threats, clever cybercriminals, hacktivists and nation-state shenanigans all elbowing their way into the boardroom, it's only sensible that the super heroes charged with vanquishing them would follow.
“In 2016, cybersecurity not only became a leading practice, but also a board priority,” says Amjed Saffarini, CEO of CyberVista. “We believe the Yahoo breach – an event which caused immeasurable cybersecurity-related challenges for both boardrooms at Yahoo and Verizon, the company that was acquiring Yahoo – represented a cyber-tipping point.”
After the breach, he notes, those boards could no longer ignore cybersecurity's role in mitigating the respective risks associated with running their companies and conducting acquisition diligence.
While the Yahoo case found “the board actively deprioritizing security for the sake of having the membership numbers look good, in the case of St. Jude [Medical] it was a failure to recognize that the company was now operating in the domain of connected devices and data,” Saffarini says. “These were two different – yet similarly defining moments – for board cybersecurity priority in 2016.”
Increasingly, too, liability, at least in theory, is shifting in some cases to boards. After the Target breach three years ago, its board quickly became, well, a target – so their interest is often a matter of self-preservation and protection. John Sapp, CISO at medical device company Orthofix, said the firing of top-level execs at Target and Sony after those organizations experienced serious breaches has turned more than a few heads.