CISO, The Board, and Cybersecurity
The cybersecurity industry has understood for more than ten years the need for clear communication with the board of directors. However, chief information security officers (CISO) often face a challenge as they do not have a platform designed to measure their return on investment (ROI). This can make it difficult to demonstrate their value to the business. As the owner of BoardDirector, I understand CISOs face challenges when presenting to the board of directors.
Board members often don’t know much about cybersecurity, making it hard for CISOs to communicate their message. To effectively communicate with the board of directors, CISOs must use a business-focused language that is easy for board members to understand rather than technical jargon. This means explaining the potential consequences of everyday business decisions, such as using certain software in a hybrid work environment or expanding through partnerships, regarding cybersecurity. For example, CISOs might explain the potential risks of data breaches or cyber-attacks, which could impact the company’s reputation, finances, or even legal standing.
To make the board understand the significance of cybersecurity, CISOs should talk about it in a way that relates to business and without technical terms. This will help persuade the board to invest in cybersecurity measures to secure the company’s interests. Additionally, the SEC may soon require companies to reveal their cybersecurity capabilities. As a result, boards may start searching for cybersecurity experts, creating an excellent chance for CISOs.
SEC Proposes New Requirements to Address Cybersecurity Risks to the U.S. Securities Markets
“I am pleased to support this proposal because, if adopted, it would set standards for Market Entities’ cybersecurity practices,” said SEC Chair Gary Gensler. “The nature, scale, and impact of cybersecurity risks have grown significantly in recent decades. Investors, issuers, and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age. This proposal would help promote every part of our mission, particularly regarding investor protection and orderly markets.”
“Market Entities increasingly rely on information systems to perform their functions and provide their services and thus are targets for threat actors who may seek to disrupt their functions or gain access to the data stored on the information systems for financial gain. Cybersecurity risk also can be caused by the errors of employees, service providers, or business partners. The interconnectedness of Market Entities increases the risk that a significant cybersecurity incident can simultaneously impact multiple Market Entities causing systemic harm to the U.S. securities markets.
The proposal would require all Market Entities to implement policies and procedures that are reasonably designed to address their cybersecurity risks and, at least annually, review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review. The proposal — through new notification requirements applicable to all Market Entities and additional reporting requirements applicable to Market Entities other than certain types of small broker-dealers (collectively, “Covered Entities”) — would improve the Commission’s ability to obtain information about significant cybersecurity incidents affecting these entities. Further, new public disclosure requirements for Covered Entities would improve transparency about the cybersecurity risks that can cause adverse impacts to the U.S. securities markets.
The proposing release will be published in the Federal Register. The public comment period will remain open until 60 days after the date of publication of the proposing release in the Federal Register.”
https://www.sec.gov/news/press-release/2023-52
CISO & THE BOARD
As a CISO, it’s crucial to communicate the importance of cybersecurity to the board of directors. One way to do this is by highlighting the risks of using email for board communication. Email is not a secure platform and is susceptible to hacking, phishing attacks, and data breaches. This can put sensitive company information at risk, damaging the company’s reputation and finances.
But there’s a solution — a board portal like Board Director. Our platform provides a secure environment for board members to access and share confidential information. With multi-factor authentication and encryption features, data is protected at all times. Additionally, the software creates an audit trail that lets CISOs monitor who accessed which information, adding an extra layer of security.
Using a board portal, CISOs can show the board that cybersecurity is a top priority for the company. They can explain how Board Director helps the board work more efficiently by having all relevant information in one place, improving decision-making and collaboration. A board portal enhances the company’s cybersecurity and protects its interests. Contact us today to learn how Board Director can help your company.
Conclusion
The SEC’s proposed rule provides CISOs a unique opportunity to shape the conversation around “cybersecurity as a business enabler.” CISOs must connect with board members by adopting a business-focused language and using a secure platform like Board Director to maximize this opportunity. Contact us today to learn more about how our board portal software can help your company improve its cybersecurity governance capabilities.
Thanks for reading. We’ll see you on the next one.
