While the US Securities and Exchange Commission published guidelines for better governance of cybersecurity for years public bodies have mostly ignored them. And while the requirements may be difficult to meet, companies that made this effort created nearly four times more shareholder value than those that didn’t.
Bitsight and Diligent surveyed thousands of public companies, finding a correlation between cybersecurity experience and average total shareholder returns over three and five years. (Source: Bitsight)
That’s the conclusion of a new survey conducted jointly by Bitsight and the Diligent Institute, titled “Cyber security, audit and board of directors.” The survey took an in-depth look at more than 4,000 medium- and large-sized companies around the world, analyzing the skills of directors along with the backgrounds of members of specialized audit and risk committees. They measured security expertise IT against 23 different risk factors, such as the presence of botnet infections, servers hosting malware, outdated encryption certificates for web and email communications, and open network ports on public servers.
“Boards that exercise cyber oversight through specialized committees with a cyber-savvy member rather than relying on the entire board are more likely to improve their overall security postures and financial performance,” says Ladi Adefala, security consultant computer science and CEO of Omega315, who agrees with the report’s conclusions. She worked on this issue for a Fortune 500 company and found that “the board did not have a specialized committee that dedicated time to delving into IT topics. They also did not have enough members and therefore could not afford to have specialized staff.” cyber committees,” he says. Part of his consulting business involves helping set up such committees, what he calls providing cybercivism lessons.
Human resources aside, poor cybersecurity governance is nothing new: public companies have paid little attention to cybersecurity for years. For example, security expert David Froud he has been writing on this topic since at least 2017. But what is new is seeing how difficult it is to evaluate IT knowledge and build lasting governance.
According to the Bitsight report, having separate board committees focused on specialized risk and audit compliance produces the best results. The authors wrote: “These committees are better positioned to delve deeper into specific cybersecurity issues and can develop stronger relationships with executives in charge of day-to-day cybersecurity operations. This, in turn, can lead to improved cybersecurity policy. to cybersecurity. , budget and other decisions made at the board level.”
The survey found a wider range of IT experiences among companies related to healthcare and financial services – which ranked first – compared to industrial companies, which ranked last.
What is significant is that the vast majority of companies have done a poor job of integrating such specialists into their boards and committees. The report found that 5% of respondents (and 12% of S&P 500 companies) had these specialists on their boards of directors. But simply having a CISO or CTO on the board is no guarantee of cybersecurity performance. “These experts need to be integrated into existing structures” and protective measures, Bitsight noted.
Another governance weakness is not mentioned in the report: building lasting cyber resilience. This was the subject of another survey, conducted by Cybersecurity at the MIT Sloan Research Consortium and published in the Harvard Business Review last year. The MIT team surveyed 600 board members and found that their interactions with CISOs are lacking. Less than half of respondents have regular contact with their CISOs, mostly limited to presentations made at board meetings and little else.
In many cases, these presentations are limited to the mechanics of protective measures, such as how often red team exercises or phishing awareness training are conducted. Keri Pearlson, executive director of the MIT consortium and co-author (together with Lucia Milică, Global Resident CISO at Proofpoint) of the HBR article, draws an analogy with the medical world: “When we are exposed to an infection, or not If we don’t get sick, or if we do get sick, we have things in our body that automatically kick in to make us feel better again.”
What is needed, he adds, is for “boards to discuss their organization’s cybersecurity-induced risks and evaluate plans to manage those risks.”
As Adefala summarizes, “The most compelling way is to leverage cybersecurity as a strategic asset for revenue creation or operational agility, rather than as an operational necessity.”