Few board directors at the most prominent U.S.-listed companies have direct experience with cybersecurity, presenting a challenge for how executives handle cyberattacks.
An analysis of board composition in companies in the S&P 500 index found that 88% have no cybersecurity expert as a director. Only seven companies had a current or former chief information security officer on their board, the research found, and in two cases, that was the same person.
“This lack of momentum in the boardroom continues to startle me,” said
Dave DeWalt,
founder and chief executive at venture-capital firm NightDragon, who also sits on the boards of
Delta Air Lines
and software company
Five9.
NightDragon and the Diligent Institute, the research and think-tank arm of executive software developer Diligent, conducted the study, published Thursday.
Cyber expertise was broadly defined as people who currently work or formerly worked in CISO roles; those who held senior technology positions, but not necessarily cyber roles; and those who had technology experience without having held senior positions.
About 52% of companies had a board director with some technology experience adjacent to cybersecurity. This includes people who sit on the boards of cyber companies or have an affiliation with a cybersecurity-related professional organization.
Cyber credentials on the board are now crucial for good governance, said Emily Heath, a general partner at VC firm Cyberstarts. Heath, a former security chief at United Airlines and tech provider
DocuSign,
sits on the boards of cyber companies Wiz and
Gen Digital.
Directors, in their oversight role, are responsible for ensuring risks are properly managed, including cyber risk, Heath said. “You have to have that cyber knowledge and expertise to know what questions to ask,” she said.
The results of the Diligent/NightDragon study largely mirror similar research conducted by The Wall Street Journal in November 2022. That analysis found that only 86 of 4,621 board directors in S&P 500 companies had relevant experience in cybersecurity over the past 10 years.
Proposed rules from the U.S. Securities and Exchange Commission would have required companies to disclose which board members had cyber experience, although that provision was dropped from the final rules that went into effect on Sept. 5.
Myrna Soto, founder and chief executive of consulting firm Apogee Executive Advisors.
Photo:
Patrick T. Fallon/Bloomberg News
Directors say that it is often difficult to find the right candidates for a board-level position. Cybersecurity is a highly technical field and one in which executives have only recently been elevated to the senior leadership level. Board work demands wide business experience that many security chiefs lack, said
Myrna Soto,
founder and chief executive of consulting firm
Apogee
Executive Advisors.
Soto, who is also a director at
Spirit Airlines,
banking group Popular, and payroll and benefits administrator
TriNet Group,
said boards typically discuss cyber matters for a limited amount of time during their meetings. Other issues require their attention, and any cyber expert must be able to justify his or her seat by being able to contribute to those discussions.
“It is incredibly important that the candidates that will be on the docket to bring this type of expertise into the boardroom are very well-rounded business executives,” she said.
Solving this problem will take effort from boards and cybersecurity professionals, said NightDragon’s DeWalt. Security chiefs must expand their overall business knowledge, companies must elevate the CISO role to a true C-suite position, and boards must become better educated about cyber matters.
“I really want to see a continuous education requirement for cyber literacy in the boardroom,” he said.
Write to James Rundle at james.rundle@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
Boards Still Lack Cybersecurity Expertise
#Boards #Lack #Cybersecurity #Expertise