As part of recent amendments regarding cybersecurity risk management, strategy, governance, and incident reporting, the U.S. Securities and Exchange Commission (SEC) is proposing new requirements that public companies report whether any of its board members have cybersecurity expertise. Leading U.S. senators are applauding this move to encourage directors to play a more effective role in cybersecurity risk oversight at public companies. Many pundits consider this proposal a natural step in a boardroom transformation that began 20 years ago when the SEC required financial expertise as part of the enactment of Sarbanes-Oxley Act. This proposed new SEC requirement would enable investors to have access to information about the level of cybersecurity expertise on the boards of companies in which they are considering investing or already hold shares.
For some time now, it has been clear that cyber risk is business risk, but recent cybercrime and geopolitical trends have pushed the needle on new regulatory proposals. Since the beginning of the year, we’ve seen a steady drumbeat of alerts and resources for critical infrastructure organizations.
- In January, a joint cybersecurity advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI detailed tactics, techniques, and procedures associated with a number of Russian state actors.
- In February, CISA issued a plan of tactical recommendations to prepare for and mitigate foreign influence operations targeting critical infrastructure. The document contains the core steps to take to enhance the security of critical infrastructure networks, including understanding the assets you have in your network, their vulnerabilities and risk posture, and developing a robust incident response plan.
- In March, CISA and the FBI warned U.S. and international satellite communication network providers and customers of possible threats, offered specific mitigation recommendations, and strongly encouraged information sharing through CISA’s Shields Up initiative. Within days, CISA held a three-hour call with U.S.-based critical infrastructure owners and operators to discuss intensified preparatory activity by Russia to initiate potentially disruptive and damaging attacks.
- In April, new research was published on the Industroyer2 malware used to target a Ukrainian energy provider, as well as a new advisory from CISA, the NSA, and the FBI on the ability of threat actors to gain full system access to multiple industrial control system devices.
- In May, in light of evolving intelligence, the security agencies from U.S., U.K., Australia, Canada, and New Zealand that comprise the Five Eyes intelligence alliance issued an update to their joint cybersecurity advisory warning of imminent and serious threats to critical infrastructure in countries that have sanctioned Russia or otherwise supported the Ukraine. Cybercrime groups have aligned with Russia, pledging to support the country’s efforts to wage cyber warfare.
It’s against this backdrop that U.S. critical infrastructure organizations across all 16 sectors must move quickly to mitigate risk. The acceleration of digital transformation and the Extended Internet of Things (XIoT), which includes operational technology (OT) networks, Internet of Things (IoT), Industrial IoT (IIoT), and Internet of Medical Things (IoMT) devices, are introducing game-changing connectivity to enterprise, industrial, and healthcare environments. Whether optimizing individual processes or entire factories and other critical infrastructure ecosystems, this expanding universe of devices is helping improve efficiency, reliability, responsiveness, quality, and delivery. However, it is also introducing inevitable risk.
The value of cybersecurity expertise in the boardroom
Strong technology leaders are elevating cybersecurity as an enabling factor in an expanding and open environment where the XIoT is an essential component to unlocking business value. Now their role must be recognized and formalized. The most efficient path to strengthen cybersecurity expertise is to add CISOs to boards, yet globally, only four percent of CISOs sit on corporate boards.
At Claroty, our teams work with many organizations to quickly implement The Claroty Platform to identify, manage, and protect their systems and devices, including the Extended Internet of Things (XIoT). In our experience, we see that as enterprises respond to recent government warnings and mandates and initiate new digital transformation projects, many are finding that accurately identifying – much less reducing – risk is exceedingly complex, particularly in complex environments. At the helm of their leadership, boards need to include CISOs and CIOs who can provide advice on moving forward with digital change initiatives and help companies improve their resilience to threats.
As board members, CISOs and CIOs can explain how changes to the infrastructure can increase growth and/or reduce risk, as well explain the organization’s risk posture, including exposure from new initiatives and the relative impact of potential breach scenarios, and what can be done to mitigate risk. They can also elevate the conversation to ensure understanding, more informed decision-making, and total business alignment, which is especially crucial during a crisis, when companies need to move even faster.
The cost of lacking cybersecurity expertise in the boardroom
When boards lack the CISO and CIO perspective, various scenarios can play out. In some cases, we see complacency where some boards feel they’ve done enough to weather the uncertainty of the global pandemic and plan to continue with the status quo. In other cases, boards have been stymied from making important strategic decisions because they lack the background to understand the full extent of opportunities for digital transformation. They gained an appreciation for what is possible over the last two years and saw the positive impact on the bottom line, but they don’t know how to move forward.
These situations are problematic for several reasons. First, in the rush to support productivity and keep the business moving most teams didn’t have the luxury to account for failure. It’s time to focus on maximizing resiliency. Second, it has become painfully obvious that disruptions are inevitable and successful companies will be those that remain agile. Third, all critical infrastructure sectors are facing heightened threats and there is urgent work to be done to reduce exposure to threats that impact lives and livelihoods. And finally, boards likely would have embraced digital transformation sooner had they had the benefit of the expertise, experience, and insights that CISOs and CIOs can provide to ensure it was done securely. What additional opportunities might they be missing now without expertise at the table to rethink infrastructure and security?
A lack of cybersecurity experts on corporate boards is exposing companies to unnecessary business and compliance risk and slowing down progress. The time has come to make lasting changes to the makeup of boards so we can not only weather disruptions with better business outcomes and mitigated risk, but also do our part to protect the systems that run the world’s infrastructure and are responsible for our well-being.