April 4, 2023

Cybersecurity governance is an issue that every board now needs to prioritize. With the recent announcement, on March 1, 2023 by the Biden-⁠Harris Administration, of the new National Cybersecurity Strategy, and with the release of the new SEC Cybersecurity Regulations anticipated to be finalized in April 2023, the topic of cybersecurity should be on every upcoming, and ongoing corporate board agenda.

In the recently published report What Directors Think 2023 cybersecurity ranked top of the list of most challenging issues that boards are currently facing. This report published by the Diligent Institute in collaboration with the Corporate Board Member includes results from a recent survey of 300 public company directors. This was the 20th anniversary issue of the report, and since 2014 cybersecurity challenges have consistently been ranked by surveyed directors as one of the most challenging issues to oversee.

In 2023 board directors are challenged with the increasing threat from cybercriminals adopting and scaling new attack techniques, and the attack surface of organizations increasing with digital innovation. The threats are real, with cybercrime costs estimated to dramatically increase over the next five years, from $8.44 trillion in 2022 to $23.84 trillion by 2027 according to Statista’s Cybersecurity Outlook.These costs result from theft of funds, intellectual property, personal and business data, fraud, disruption of business and reputational damage. In 2023, cybersecurity can no longer be considered an IT issue but rather an enterprise-wide strategic imperative for private and public companies.

Why is cybersecurity an ongoing and significant challenge for boards?

Understanding cybersecurity and cyber risk is an inherently complex undertaking exacerbated by the speed of digital innovation, complexity and scope of cybersecurity technology, shortage of expertise and emerging regulations. Given this landscape is not surprising that boards are finding cybersecurity one of the most challenging issues faced by directors.

Newness and complexity of cybersecurity technology: Cybersecurity is a relatively new corporate discipline, encompassing a wide range of complex technologies and emerging processes and responsibilities. In the U.S. alone there are over 3500 security vendors offering different categories of solutions including authentication, identity access management, firewalls, and threat intelligence to name just a few. Adding to the cybersecurity complexity is that enterprise security is a multi-layered approach that needs to encompass all aspects of the organization’s perimeter including endpoint security, data security, mobile security, application security, cloud security, and network security. Without cybersecurity experience and expertise board directors are not equipped to effectively navigate cybersecurity governance.

Shortage of Expertise: The lack of cybersecurity expertise is not limited to the board but is an industry wide issue. The field of cybersecurity is currently experiencing a shortage of workers with the demand for skilled workers only increasing as the threat landscape continues to evolve. Currently in the U.S. the cybersecurity workforce shortage is estimated at 3.4 million jobs. At the board level there is a need for not just specialized cybersecurity technical knowledge but also a broader understanding of the security landscape and enterprise-wide requirements, and communications experience related to incident reporting.

New and emerging government regulations: Staying up to speed on emerging government regulations is critical for boards. In 2023 boards need to be aware of the requirements of the new forthcoming SEC regulations for cybersecurity, which place additional requirements on corporations for reporting and oversight of cybersecurity. In particular the new regulations include a proposed requirement Item 407 of Regulation S-K for periodic disclosure of the board of directors’ cybersecurity expertise.

Digital transformation increases cyber risk and attack surface: We are living in a digital world that is moving at an ever increasing speed of innovation. As public and private corporations implement digital innovation this leads to new cyber risks. Typically cyber attackers have been at least one step ahead with their use of digital innovations for fraud and cybercrime. Digital transformation and innovation initiatives require not only near term cybersecurity risk assessments and evaluation but also significant long range planning and oversight by the board. Implementation of AI, ChatGPT, and preparing for post quantum security, are a few of the hot topics that currently require strategic board oversight related to cyber risk.

• ChatGPT It didn’t take long for security concerns to emerge in the enterprise use of ChatGPT, in particular the threat from leakage of proprietary business data. It was recently reported in Dark Reading that Cyberhaven, a data security service blocked input data into ChatGPT from 1.6 million workers at its client companies, because of the risk of leaking confidential information.
• AI Not only are cybercriminals making use of AI to increase the performance and scale of their attacks they also are attacking the AI models being used by corporations to deliver services. These AI attacks include model poisoning, data tampering and theft.
• Post quantum securityQuantum computing poses threats to existing encryption techniques. Organizations and boards should be preparing for post quantum security and the implementation of new encryption standards that are resilient in a post quantum world.

Going forward effectively managing cybersecurity is a top priority for every public and private entity. The best performing organizations will prioritize their cybersecurity governance with leadership from their boards. The National Association of Corporate Directors (NACD) advocates for boards to develop a culture of corporate cyber responsibility in which managing cyber risk is treated as a fundamental matter of good governance and good corporate citizenship. Given the challenges for board directors in coming to grips with cybersecurity issues here are three key priorities for corporate boards in 2023.

3 Cybersecurity Priorities for Corporate Boards in 2023

1. Recruit cybersecurity tech and communication expertise to the board. Look beyond traditional networks. Board members with cybersecurity experience come from the tech world and can be from public or private companies and first time board members. Look for board members who have the expertise and willingness to speak up and ask the difficult questions to understand risks, impacts and responses related to cybersecurity and managing risk. Look for board members who have worked in cybersecurity tech companies and can bring a broad understanding of the industry, threats and risk management approaches to the board. In particular look for expertise and experience in crisis communication related to reporting cybersecurity threats and vulnerabilities. With the new SEC regulations reporting and communication of cybersecurity incidents will have increased focus. Cybersecurity threats represent major threats to shareholder value, brand reputation, market share and long term survival.
2. Review corporate cybersecurity team and processes. Review the corporate cybersecurity organization, team members, training, experience and processes in light of forthcoming SEC regulations. Request regular board updates from the cybersecurity lead. In cybersecurity it is a question of “when not if” a cybersecurity issue is going to happen. The adversaries in cybersecurity represent a continually moving target, with evolving attacks and threats, which means that cybersecurity risk management and resilience is an ongoing task. Ensure that processes for cybersecurity reporting and communication of incidents includes regular and transparent communication with the board.
3. Commit to cybersecurity training for board members Ensure board members have thorough and continuing cybersecurity training. Tap into company team members to provide training, this also provides a connection between the board members and key cybersecurity team members outside of managing a cybersecurity crisis.

How to find board members with cybersecurity expertise?

Firstboard.io provides a curated list of female board member candidates from the technology industry, including many with cybersecurity experience.

Further Resources

The National Association of Corporate Directors (NACD) has an excellent publication entitled 2023 Director’s Handbook of Cyber-Risk Oversight

About the Author

Paula Skokowski has more than fifteen years of cybersecurity experience bringing to market industry leading security solutions at Shape Security, Yubico, Incognia and kiteworks. She is the author of the first industry report on Credential Stuffing and is experienced in security vulnerability reporting and communication. She is a highly accomplished business leader and early employee at five VC-backed startups across cybersecurity, fraud, AI, robotics and IoT, resulting in two IPOs, one $1B acquisition, and two $500M+ valuations. Paula is a Co-Founder and Fund Manager for the Oxford Angel Fund and is a GTM Advisor to early-stage companies. Paula holds a Bachelor's degree in Engineering Science from the University of Oxford and an MSc in Robotics from UC Berkeley. She is part of the Leadership Council of Firstboard.io, working to add diversity to corporate boards, and is a member of the University of Oxford Alumni Board.