As though CIOs didn’t already have enough to deal with, it turns out that the rules are changing on us. Cybersecurity has always been a big deal for our firms; however, the U.S. government is starting to understand just how big of a deal it is. It turns out that if your company suffers a cybersecurity attack, it could have an impact on your company’s ability to stay in business. This could have a dramatic impact on the value of your company. Because of this, the government wants to know more about what is going on at your company in terms of cybersecurity. This means that the CIO has one more job to do.
A Request For More Information On CyberAttacks
CIOs expect that they are going to end up having a closer relationship with their boards based on recent Securities and Exchange Commission proposals seeking to pry more details from companies about cyberattacks and their defense measures. Some CIOs worry that the SEC is going too far. Under recent proposals from the U.S. Securities and Exchange Commission, the agency is asking to know more about how listed companies manage their cyber risk. CIOs would be required to disclose which board directors have cybersecurity expertise, how often the topic of cybersecurity is discussed and what, if any, oversight the board has over its cyber matters. The SEC wants to go further in providing information for investment funds and advisers, requiring boards to approve all cybersecurity policies.
The proposals, which are now open for public comment, indicate the SEC is starting to get tougher as pervasive cyberattacks cost victims billions of dollars a year. These losses are based on estimates from the Federal Bureau of Investigation. Not everyone is happy with the SEC’s new proposals. A lobbying group for asset managers has expressed concern over the breadth of the proposed rules. In a letter that they sent to the SEC they said that while companies should have processes in place to escalate cyber issues to boards, directors shouldn’t be expected to manage them directly.
The thinking behind the request to the SEC is that the requirement that boards approve policies and procedures and exercise formal oversight is too prescriptive and crosses into the realm of management. But others say the new rules provide much-needed clarity on expectations from the government watchdogs, as cybersecurity has become a core business risk for companies of all sizes. Many CIOs view this as being a reset, and they think the advantage of this reset is the SEC is being very clear. They’re telling companies what they expect.
A New World For CIOs
CIOs know that in practice CIOs and others with cyber responsibilities must learn how to translate their cybersecurity data into clear risk information that their nontechnical board directors can quickly understand. What this means is that this may force some companies to rethink the CIO role itself. When a CIO lands their first cybersecurity executive position they may lack experience interacting with a corporate board. Just to make things tougher, they may not receive much help. Often CIOs view their first board meeting as being a sink or swim event.
The SEC’s call for senior leaders and directors to understand and disclose more about their company’s cybersecurity posture will require developing a strong relationship between the CIO and the board. It will change how companies develop the next generation of CIOs. This means that they will end up relying less on technical knowledge and more on business-risk experience when they are looking to fill the CIO position. Additionally, companies may end up having to examine the composition of their boards more closely in light of the rules and the heightened cyber threat environment. Many of today’s boards often suffer from a lack of technical knowledge, which can lead to the improper management of risks.
CIOs believe that across boards, globally, there is a lack of understanding as to not just technology, but security in terms of how important it is to an organization, but equally the impact on an organization if there is an IT or a broader security incident. Installing directors with cybersecurity expertise on boards can help the rest of the board grasp these cybersecurity issues. It is important to note that simply having cyber experts on boards isn’t sufficient to meet the SEC’s new demands. What can happen is that the security staff will engage with that member alone, using the director as an interpreter for other board members, who then assume that their more technical peer has the situation in hand. Invariably, what can happen is the balance of the board checks out. What CIOs and other staff will have to do is to find ways to convey the issues they’re facing in language all board members are conversant in. This means talking in terms of business risks, the cost of mitigating them and the resources needed to manage future risks.
What All Of This Means For You
CIOs have to deal with change all the time. There is yet one more change that appears to be coming their way. The U.S. government’s SEC is in the process of changing the rules regarding what a company’s board of directors has to know about the cybersecurity threats that the company is facing. Since the CIO is the person who both has this information and interacts with the board, the CIO is going to be required to be the person who keeps the board of directors up to date.
The SEC is proposing that companies disclose how listed companies manage their cyber risk. These new rules include disclosing which board directors have cybersecurity expertise, how often the topic of cybersecurity is discussed and what, if any, oversight the board has over its cyber matters. The SEC also wants boards to approve all cybersecurity policies. Some CIOs are concerned that the SEC is going too far and that board directors should not have to manage cybersecurity issues directly. Other CIOs believe that the new rules will provide needed insight into how a company is managing its cybersecurity threats. CIOs may have to find ways to translate their cybersecurity threats into language that the board of directors can understand. Having this set of skills may change how companies go looking for their next CIO. CIOs are going to have to learn how to talk about cybersecurity with their boards.
CIOs understand that cybersecurity has become an important issue for every company. What this means is that we are spending more and more of our time finding ways to keep our company secure. Everyone seems to understand the importance of cybersecurity and now the U.S. government wants to make sure that CIOs are keeping their boards aware of everything that is going on. CIOs are going to have to learn how to translate what they are doing in terms of securing the company into conversations that they can have with their boards.
– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™
Question For You: How often do you think that CIOs should talk with their boards about cybersecurity issues?
Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!
What We’ll Be Talking About Next Time
As CIOs, despite having access to some of the most sophisticated communication tools available, most of us still do most of our communicating via emails. Not just a few emails, but a whole lot of emails. When we send an email out, there is a very good chance that the person that we sent the email to will reply to it. We may then reply to their reply. They will then probably reply to our reply to their reply. And so on. You can see how this back and forth thing can really start to build up. It turns out that all of this email exchange stuff is actually really bad for CIOs to be doing…