Many boards of directors are creating dedicated cybersecurity committees, and CISOs hope that, if implemented correctly, these types of committees will improve communication with boards and lead to more support and resources for organizations’ cybersecurity strategies.
In a recent CISO Report by Splunk, 78 percent of CISOs and other security leaders reported a dedicated board-level cybersecurity committee at their organizations. These committees may be made up of qualified individuals or potentially even third parties - not necessarily company employees - that give guidance to the board around matters like risk assessment and cybersecurity strategy. The adoption of these types of committees has been a long time coming: In 2021, Gartner predicted that in 2025, 40 percent of boards of directors would have a dedicated cybersecurity committee - up from less than 10 percent that year.
For CISOs, these board-level cybersecurity committees can potentially bridge communication barriers between security teams and boards, said Kirsty Paine, field CTO and strategic advisor for EMEA with Splunk.
“Cybersecurity committees can ensure cyber risk receives the attention it deserves, adding weight and resources to board-level conversations,” said Paine. “Their existence changes the governance model for cybersecurity and provides oversight that may have previously been lacking. The CISO can expect more scrutiny but also more support; the committee is a constant voice in the ear of the board, talking about cyber security risk.”
Adoption of Cybersecurity Committees
As more board members begin to understand the importance of cybersecurity, they are forming these committees to make sure that cybersecurity concerns are being prioritized and discussed in a confidential environment. John Bruns, global CISO and chief customer advocate with Anomali, and previously the CISO of the state of Maryland, said that these types of committees can help board members understand the right amount of people and processes needed “to meet their risk appetite.” The state of Maryland formed the Maryland Cybersecurity Coordinating Council, for instance, as a way to better convey shared risks across the state’s executive branch, said Bruns.
“Following the 2021 incident at the Maryland Department of Health that resulted in a substantial economic impact on the State, this information sharing became instrumental to building resilience around critical systems and preventing future incidents,” said Bruns. “This committee… allowed key stakeholders, cyber experts, and even Secretaries of each department, to share plans around future cybersecurity investments and strategies with an effort to better align resources and technologies to protect the entire State.”
Another factor driving the creation of these types of committees is an increase in conversations about cybersecurity liability at the C-Suite level. As part of its cybersecurity rule finalized this year, the SEC considered requiring companies to describe their board members’ oversight of security risks and cybersecurity expertise. While evidence of board-level cybersecurity expertise is not explicitly required in the final rule, companies must describe their boards’ oversight of security risks, such as the processes through which the board is informed about risks.
“The SEC ruling backed off a little bit in terms of what they were originally talking about doing, but there’s definitely a trend of wanting to get more knowledge to the board on security risks in general,” said Rick Holland, CISO at ReliaQuest. However, Holland warned against boards of directors developing cybersecurity-focused committees merely to check a box showing that they have one.
“I think it’s very easy to say, ‘oh, we have a new subcommittee on cybersecurity risk,’ but it’s another thing to fund the things that need to be done,” said Holland. “There could be a checkbox showing inside perspective and outside expertise, but really what matters is how the board, the business decide to try to quantify that risk and put controls in place.”
Communication Gaps Between CISO and Boards
For CISOs, these committees could play an important part in closing the gap between board members in how they perceive and prioritize security threats and communicate the context around cyber risks.
Previous reports have shown how CISOs and board members are not on the same page. For instance, a Proofpoint report last year found that while board members’ top concerns around security incident consequences revolved around internal data becoming public and reputational damage, CISOs worried more about significant downtime and disruption to operations. At the same time, according to Splunk's report, 84 percent of CISOs say that their governing board or body equates strong security with regulatory compliance, as opposed to best practices.
Still, collaboration between these two parties is important. CISOs are responsible for developing security programs and driving an overall culture that prioritizes security, but board members can help drive these initiatives by keeping cybersecurity as a top priority on the agenda and setting an example for other leaders across the organization. Splunk’s CISO report, which was based on a survey of 350 CISOs (coupled with in-depth interviews with 20 CISOs), found that about 86 percent of CISOs view their biggest responsibility as making sure the governing body or board sees value in funding security investments.
“Dedicated board-level cybersecurity committees are a proactive step toward enhancing an organization's security posture,” said Devin Ertel, CISO at Menlo Security. “This initiative facilitates collaboration between the CISO and board members, fostering a partnership that offers invaluable insights and aligns security strategies with business objectives. Effective communication between these parties is pivotal for the partnership's success, ensuring that the security program remains adaptable and aligned with the business and evolving threat landscape.”