According to a recent article in the Wall Street Journal, corporate boards are getting much more involved in cybersecurity. What’s driving this behavior? While the Target breach probably influenced this behavior, corporate boards now realize that cybersecurity has become a pervasive risk that could have an adverse impact on all businesses. This is consistent with recent ESG research where 29% of security professionals working at enterprise organizations (i.e., more than 1,000 employees) said that executive management (and the corporate board) is much more engaged in cybersecurity situational awareness and strategy than it was two years ago, while another 40% stated that executive management (and the corporate board) is somewhat more engaged in cybersecurity situational awareness and strategy than it was two years ago.
What does this mean? Further board-level participation in all things cybersecurity has several ramifications for the infosec community at large (i.e., security professionals, product vendors, service providers, researchers, etc.):
1. Opportunities for consultants and threat intelligence providers. Consultants that can bridge the gap between nerdy cybersecurity technology and business risk will be called upon to educate corporate boards and provide strategic recommendations. This group will cover a broad range of vendors from Accenture, Booz Allen, IBM, and McKinsey to analyst firms like ESG. Additionally, corporate boards will want specific data about the threat landscape and industry cybersecurity metrics – a great opportunity for cybersecurity benchmarking and intelligence firms like BitSight, Dell SecureWorks, and Vorstack.
2. The evolution of the CISO position. The good news is that the CISO position will grow in terms of stature and compensation. The bad news is that these new demands will greatly limit the number of candidates with the right technical and business chops for the job. A few years ago, I recommended splitting the CISO job into two – a Chief Information Security Technology Officer (CISTO), and a Chief Information Security Business Officer (CISBO). The first role would be responsible for modernizing the cybersecurity infrastructure and ensuring that new IT initiatives have the right level of security protection and oversight. The latter role would be tasked with understanding the cybersecurity implications to the business. As corporate boards become increasingly engaged in cybersecurity, this seems like a good division of labor to me.
3. Greater scrutiny of cybersecurity metrics. Corporate board involvement will likely further goose security budgets over the next few years. Nevertheless, security spending will come with further demands for oversight as corporate boards will want to know how much cybersecurity protection they actually get for their money. Yes, we’ve been trying to figure this out for years but we do have a new weapon at our disposal – big data. By capturing, processing, and analyzing all relative security data, we should be able to figure out things we couldn’t in the past. For example, should security controls be applied to endpoints, networks, or both? Big data should be able to provide objective financial and risk metrics to questions like this one. My guess is that companies like Agiliance, Archer (RSA Security), Splunk, and Symantec will offer this type of big data GRC functionality soon.
3. More pushback on the federal government. As corporate mucky-mucks are exposed to cybersecurity risk, it is likely to scare the ever-living daylights out of many who were previously in the dark. Since these folks tend to be active in politics, it’s likely that cybersecurity issues will get a solid push from both sides of the political spectrum.
For years, infosec professionals complained about the lack of cybersecurity knowledge and prudent decision making by business executives. As this apathy abates, CISOs, and security industry leaders find themselves with more money on the one hand and more responsibility on the other. On balance, this is a very positive step but it’s important to realize that we are in uncharted water. Those few individuals, vendors, and service providers that offer real help navigating these rough seas will be in high demand.