<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Benchmarking

SEC places security on the board agenda

Tom Turner | June 17, 2014
Board member need to care about cybersecurity
Comments by Securities and Exchange Commission official, Luis Aguilar, further fueled the debate about the role of the corporate board in addressing cybersecurity risk.  The board already has a risk oversight responsibility, so in theory extending that responsibility to cybersecurity risk is an excellent idea, but what about in practice?  In practice the idea is excellent too…..but how should that practice manifest itself?

It took a long time for the CISO role to emerge in corporate America (and maybe 25% of large enterprises have one), so it will be quite a while before it becomes a consistent board seat.  In the meantime, corporate boards are made up of current and former CEOs, CIOs & CFOs, academia and distinguished public servants from civilian and military backgrounds.  I believe they are all too aware of the implication of cybersecurity risk.  Like many senior executives, boards have recently had a crash course in the impact of security breaches.  Either because they have witnessed them first hand….or from ‘a safe distance’ as competitors and peers have struggled through cyber attacks and loss disclosures.  But there is no existing framework for discussing cybersecurity risk among a corporate board, certainly nothing that equates to their existing framework for discussing growth, profitability, legal exposure, supply chain, M&A, HR best practices, geopolitical risk etc.  For those perpetual board meeting topics there is a consistent push for internal data and instrumentation that can be compared and benchmarked with a peer group, an industry or a competitor.

For 'the practice' of board oversight to extend to cybersecurity risk, those same benchmarks must exist.  Without objective comparison between peer/competitor/industry, how can the experience and advice of your celebrated academic, retired CEO, distinguished public servant or maverick CIO have any context? How can measurement be put in place?

Mr. Aguilar is on the right track. Boards must start taking responsibility for the cybersecurity of their companies. If not, there will likely be financial and reputational repercussions for board members that fail to place this issue as a critical priority in retaining and growing the value of a company. Yet, while the time for board level discussions on cyber security has come, it is also the time for new innovative solutions to enable this practice. This is where Security Ratings come in.

Suggested Posts

What Are Security Ratings?

Security ratings are a data-driven, objective and dynamic measurement of an organization’s security performance. Thousands of organizations around the world use BitSight Security Ratings as a tool to address a variety of critical,...

READ MORE »

Advanced Security Benchmarking with BitSight Peer Analytics

On March 4th, BitSight released  Peer Analytics, the newest advanced analytics module from the leader in security ratings. This allows organizations to better understand and manage their security performance in relation to their industry...
READ MORE »

6 Cybersecurity KPI Examples for Your Next Report

While many IT, security, and risk professionals have developed good metrics and visuals for communicating internally about cyber risk, such as the safety cross and pareto charts, reporting on cybersecurity to non-technical individuals...

READ MORE »

Subscribe to get security news and updates in your inbox.