It took a long time for the CISO role to emerge in corporate America (and maybe 25% of large enterprises have one), so it will be quite a while before it becomes a consistent board seat. In the meantime, corporate boards are made up of current and former CEOs, CIOs & CFOs, academia and distinguished public servants from civilian and military backgrounds. I believe they are all too aware of the implication of cybersecurity risk. Like many senior executives, boards have recently had a crash course in the impact of security breaches. Either because they have witnessed them first hand….or from ‘a safe distance’ as competitors and peers have struggled through cyber attacks and loss disclosures. But there is no existing framework for discussing cybersecurity risk among a corporate board, certainly nothing that equates to their existing framework for discussing growth, profitability, legal exposure, supply chain, M&A, HR best practices, geopolitical risk etc. For those perpetual board meeting topics there is a consistent push for internal data and instrumentation that can be compared and benchmarked with a peer group, an industry or a competitor.
For 'the practice' of board oversight to extend to cybersecurity risk, those same benchmarks must exist. Without objective comparison between peer/competitor/industry, how can the experience and advice of your celebrated academic, retired CEO, distinguished public servant or maverick CIO have any context? How can measurement be put in place?
Mr. Aguilar is on the right track. Boards must start taking responsibility for the cybersecurity of their companies. If not, there will likely be financial and reputational repercussions for board members that fail to place this issue as a critical priority in retaining and growing the value of a company. Yet, while the time for board level discussions on cyber security has come, it is also the time for new innovative solutions to enable this practice. This is where Security Ratings come in.