The SEC’s intent to standardize cybersecurity reporting rules for public companies has caused business leaders to reevaluate their board communications. Board members are increasingly eager to better understand cyber risk threats to their organizations and best practices for mitigating them.
Boards of directors act as fiduciaries on behalf of organizations and their shareholders, which includes the responsibility to inform and offer appropriate guidance on critical business matters. Cyber risk today falls squarely within this category. Unfortunately, there is a significant gap in cybersecurity domain knowledge. One study recently found that 90% of organizations lack even one board member with cyber expertise.
This widespread need for further education is one reason I am excited to announce a new partnership between Zscaler and the National Association of Corporate Directors (NACD). Our collaboration will focus on helping board members build foundational cyber and zero trust knowledge, advance effective cybersecurity discussions between executives and boards, and promote a deeper understanding of overall cyber risk exposure.
Cybersecurity risk demands increased vigilance
Zscaler’s ThreatLabz team documented a 20% jump in encrypted attacks, which make up the majority of all cyberattacks, between 2021 and 2022. Hacks make headlines daily, and investors are watching. Now demand is growing for greater transparency regarding how companies mitigate this risk.
The proposed SEC rule would enforce disclosure of governance methods, risk analysis, and management processes in SEC filings. Enterprise boards that were comfortable in the traditional areas of financial performance, strategy, business risk, talent, and governance are expected to expand their scope to areas such as environmental, social, and governance (ESG); diversity, equity, and inclusion (DEI); and cybersecurity risk oversight practices. This is on top of persistent macro issues like economic downturns, climate change, social unrest, and war.
To guide their organization appropriately, boards now require high-level oversight on cyber risk management and threats. This represents a significant opportunity for both board members and growth-oriented IT and security leaders to step in and become trusted board advisors on such topics.
Applying risk-cost-benefit analyses to cybersecurity
Only a quarter of organizations today could accurately assess the financial impact of a cyber incident, a Deloitte poll recently found. This haziness about the possible consequences of a cyber incident undermines a core responsibility of boards: managing organizational risk. In cybersecurity, there is always a balancing act between absorbed, assumed, mitigated, and transferred risk.
To better gauge risk exposure, board members should consider questions including:
- What is an appropriate level of risk exposure and tolerance?
- How can the board best work with executives to evaluate the cybersecurity investment balance between risk, controls, and related costs?
- How do I determine whether new cyber-related initiatives can provide a return on investment?
Board governance of cyber risk
Zscaler and the NACD have partnered to help boards build the knowledge required to lead their enterprises into the cloud-first future. Without the proper cybersecurity strategy and solutions in place, CISOs and their teams spend too much time on reactive security – plugging gaps in risk mitigation or minimizing the impact of cyber events – rather than developing strategic, comprehensive risk reduction regimes to address current and future threats.
To improve outcomes, when in front of boards security leaders must stress:
- Cyber risk is business risk. No longer an IT-specific concern, the risk from disruptions and breaches threatens brands and their reputations, with major financial implications for organizations and their shareholders.
- Cybersecurity is a never-ending job. Especially given the current threat landscape, leadership must continually re-assess cyber risk. For many organizations, cyber risks are only re-assessed in case of a trigger incident (i.e., breach, disaster recovery, during M&A, a review of tech budgets).
- Your adversaries only need to succeed once. Cybercrime is ever-growing and ever-changing, at an unprecedented rate. Criminal groups are now well-funded. Nation-state actors (whether tacitly or explicitly government-supported) are growing in sophistication and capability, with many attacks tailored to target and harm a specific organization. These individuals only need to identify one small, exploitable weakness in an organization to gain access.
- Security should be proactive. CISOs and security teams must expand beyond continuous tactical defense mode to developing a whole-of-organization, strategic cyber risk solution to properly address root solutions to current and future threats.
- Everyone must step up. Security, privacy, risk, and compliance do not fall under specific roles in the organization; everyone must share responsibility for organization-wide reduced risk.
The time to act is now
Whether focused on strategy or governance, a board’s role is responsive to crisis levels. Managing cyber risk, on the other hand, requires a constant and proactive fine tuning of threat detection capabilities, risk exposure, and acceptable levels of risk.
Attackers target corporations as much as they do governments, and the risks, along with the loss of a competitive edge, are too critical to leave unaddressed.
Boards and CXOs must:
- Understand their cybersecurity strategy and how the organization’s data, users, and customers are protected in order to ensure the executive team is making decisions inline with the organization’s risk tolerance.
- Articulate cyber risk exposure based on data and the economic impact
For boards to meet their fiduciary responsibility to their organizations, cyber risk should be a top-of-mind, continual conversation with their executive team. Zscaler believes in educating all business leaders on cybersecurity risks and taking steps to help their organizations become more secure. We are proud to partner with the NACD in advancing that aim. While we won’t be able to inject cybersecurity expertise into every board overnight, we can advance top-down cyber risk literacy through initiatives like NACD advocacy and the CXO REvolutionaries.
What to read next: