{"id":14758,"date":"2022-10-26T13:00:15","date_gmt":"2022-10-26T17:00:15","guid":{"rendered":"https:\/\/www.dhrglobal.com\/?p=14758"},"modified":"2023-08-18T09:54:16","modified_gmt":"2023-08-18T13:54:16","slug":"cisos-in-the-boardroom","status":"publish","type":"post","link":"https:\/\/www.dhrglobal.com\/insights\/cisos-in-the-boardroom\/","title":{"rendered":"CISOs in the Boardroom \u2013 The First of a Series"},"content":{"rendered":"\n<div class=\"block-hero alignfull  has-breadcrumb\">\n    <div class=\"outerwrap\">\n        <div class=\"wrapper\">\n            <div class=\"copy\">\n\n                                    <ul>\n                        <!-- Breadcrumb NavXT 7.0.2 -->\n<li><a property=\"item\" typeof=\"WebPage\" title=\"Go to Insights.\" href=\"https:\/\/www.dhrglobal.com\/insights\/\" class=\"post post-page\" aria-current=\"page\"><span property=\"name\">Insights<\/span><\/a><meta property=\"position\" content=\"1\"><\/li>                    <\/ul>\n                \n                                    <h1>CISOs in the Boardroom \u2013 The First of a Series<\/h1>\n                \n            <\/div>\n        <\/div>\n\n            <\/div>\n<\/div>\n\n\n<div class=\"block-insights-detail no-intro\">\r\n\t\t<div class=\"meta\">\r\n\t\t<p class=\"date\">October 26, 2022<\/p>\r\n\t\t<p class=\"type\"><a href=\"https:\/\/www.dhrglobal.com\/insights\/#\/type\/insights\">Insights<\/a><\/p>\t\t<p class=\"author\">Authors:<\/p><ul><li><a href=\"https:\/\/www.dhrglobal.com\/consultant\/kathryn-ullrich\/\">Kathryn Ullrich<\/a><\/li><li><a href=\"https:\/\/www.dhrglobal.com\/consultant\/heather-smith\/\">Heather Smith<\/a><\/li><\/ul>\t<\/div>\r\n<\/div>\n\n\n<h2><strong>It\u2019s Happening Again \u2013 Massive Change Expected to America\u2019s Boards of Directors, 20 Years After Sarbanes-Oxley<\/strong><\/h2>\n\n\n\n<p>Not since 2002 and the passing of the massively consequential Sarbanes-Oxley Act, when the Security and Exchange Commission (SEC) required America\u2019s boards of directors to appoint Chief Financial Officers and form audit committees, has there been such a critical impending change to board skillsets and reporting. Expected by the end of this year, the SEC has once again identified a serious gap in board expertise, governance, planning, accountability, public disclosure and response \u2013 this time in the areas of cybersecurity and risk assessment \u2013 and is making regulations to address them.<\/p>\n\n\n<div class=\"block-billboard alignfull has-dark-blue-background-color alignfull\">\n\t<div class=\"maybe-wrapper\">\n\t\t<div class=\"inner\">\n            \n\n<p>\u201cStrengthening the boardroom for cyber control in 2022 is as vital as strengthening the boardroom in critical financial reporting control was in 2002.\u201d<\/p>\n\n\n\n<h5>&#8211; Harvard Law School Forum on Corporate Governance,<br><a rel=\"noreferrer noopener\" href=\"https:\/\/corpgov.law.harvard.edu\/2022\/04\/11\/proposed-sec-cyber-rules-a-game-changer-for-public-companies\/\" target=\"_blank\">Proposed SEC Cyber Rules: A Game Changer for Public Companies<\/a><\/h5>\n\n\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n\n\n\n<p>The SEC\u2019s proposed amendment requires boards to begin reporting about material incidents and providing updates; initiating and reporting on policies and procedures to identify and manage those risks; reporting on their impact to the bottom line; reporting their resolution; and notifying investors about those incidents. Thus far, the SEC has only talked about the specific outcomes they want to see implemented and not provided specifics about how companies can best satisfy the new requirements.<\/p>\n\n\n\n<p>DHR Global has been actively focusing on what the right cybersecurity expertise encompasses at the board level, how it will dovetail with other board positions such as the Chief Information Officer, and is recommending its clients get ahead of the new rules by recruiting highly qualified Chief Information Security Officers (CISOs) to take their seats at the table as board directors. According to DHR\u2019s proprietary research, to date, only 7 of the 500 largest public companies in the U.S. have an experienced CISO currently sitting on their corporate board of directors.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>\u201cAmong our clients we are increasingly seeing that cybersecurity is becoming a new agenda item at every board meeting,\u201d said <a href=\"https:\/\/www.dhrglobal.com\/consultant\/heather-smith\/\">Heather Smith<\/a>, Partner in the <a href=\"https:\/\/www.dhrglobal.com\/function\/board-ceo\/\">Board &amp; CEO Practice<\/a> at DHR. \u201cOur research shows that the vast majority of boards do not have a CISO among them. As such, non-technical board members are called on to provide guidance on cybersecurity risk. It\u2019s becoming apparent that there is a specific cybersecurity skillset that we are recruiting for to meet both the current need and the impending SEC requirement.\u201d<\/p><\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>\u201cThe ideal board CISO provides a competitive advantage and brings relevant, recent experience from the last two years, has a long lens when it comes to the latest cyber vulnerabilities and a strategic, proactive outlook, and is able to communicate effectively regarding what risk management entails at the board level. They understand IT security but also the company\u2019s strategy and how IT should support that strategy,\u201d added <a href=\"https:\/\/www.dhrglobal.com\/consultant\/kathryn-ullrich\/\">Kathryn Ullrich<\/a>, Managing Partner in the <a href=\"https:\/\/www.dhrglobal.com\/industry\/advanced-technology\/\">Advanced Technology Practice<\/a> at DHR.<\/p><\/blockquote>\n\n\n\n<h3 class=\"has-green-color has-text-color\"><strong>The Threat is Varied Affecting Every Segment and Industry<\/strong><\/h3>\n\n\n\n<p>What has caused this massive threat and critical omission at the board level? Digital technologies and their impact on the modernization of networks and infrastructures are at the heart of the issue. Already in play, these changes have been sped up out of necessity by business closures and remote workers due to Covid, workplace re-openings and a newly hybrid workforce, supply chain disruptions, applications and operations moving to the cloud, a slew of new Internet of Things (IoT) devices and multi-domain networks in which Operations Technology (OT) and Information Technology (IT) networks are merging \u2013 all have meant that there are many new and ever-evolving avenues for hackers to take into the heart of economies, businesses and everyday life. According to the World Economic Forum, 70 percent of economic growth is now being driven by digital technologies.<\/p>\n\n\n\n<h4><strong>First Some Eye-opening Numbers to Put with the Threat:<\/strong><\/h4>\n\n\n\n<ul class=\"\" data-cols=\"1\"><li>Cyber-attackers can <a href=\"https:\/\/www.ptsecurity.com\/ww-en\/analytics\/pentests-2021-attack-scenarios\/\" target=\"_blank\" rel=\"noreferrer noopener\">breach 93% of company networks<\/a>, according to new research from Positive Technologies.<\/li><li>Cyberattacks in 2021 <a href=\"https:\/\/blog.checkpoint.com\/2022\/01\/10\/check-point-research-cyber-attacks-increased-50-year-over-year\/\" target=\"_blank\" rel=\"noreferrer noopener\">increased by 50%<\/a> when compared to 2020, as reported by cybersecurity firm Check Point.<\/li><li>Cybercrime cost U.S. businesses <a href=\"https:\/\/www.newsweek.com\/internet-crimes-cost-americans-69-billion-2021-fbi-reports-1690633\" target=\"_blank\" rel=\"noreferrer noopener\">more than $6.9B in 2021<\/a>, the FBI told Newsweek in March 2022.<\/li><li><a href=\"https:\/\/thoughtlabgroup.com\/cyber-solutions-riskier-world\/\" target=\"_blank\" rel=\"noreferrer noopener\">29% of CEOs and CISOs and 40% of CSOs<\/a> (Chief Security Officers) admit their organizations are unprepared for a rapidly changing threat landscape, reports Thought Lab from their 2022 cybersecurity study.<\/li><\/ul>\n\n\n\n<p>Today\u2019s cybersecurity threat takes many forms and can vary by industry. Among this year\u2019s top issues according to <a href=\"https:\/\/www.csoonline.com\/article\/3262972\/7-hot-cybersecurity-trends-and-2-going-cold.html\" target=\"_blank\" rel=\"noreferrer noopener\">CSO Magazine<\/a>: ransomware, cryptomining\/cryptojacking, deep fakes, video conferencing attacks, XDR (extended detection and response across endpoints, email, identity and access management, network management and cloud security), operational attacks against IoT and OT, and supply chain attacks such as the recent Solar Winds breach.<\/p>\n\n\n\n<ul class=\"\" data-cols=\"1\"><li><strong>Education:<\/strong> Outdated technology, massive stores of data and hybrid campuses are putting education at risk. Data breaches, phishing and ransomware are the top methods for attack here.<\/li><li><strong>Healthcare:<\/strong> In healthcare, it is the vast number of new medical and IoT devices now on the network that are most at risk with hackers targeting patient care devices and causing distributed denial of service attacks demanding ransom and holding hospitals hostage.<\/li><li><strong>Manufacturing:<\/strong> In manufacturing, as multiple OT, IT and cloud networks connect for the first time, the lack of end-to-end security is causing issues as new, wireless endpoints and legacy systems suffer from weak encryption impacting production and distribution.<\/li><li><strong>Energy:<\/strong> In energy, it is inefficiencies in identity and access management and a lack of system integration that causes vulnerabilities in the supply chain.<\/li><li><strong>Financial Services:<\/strong> Financial services continue to be threatened by data breaches from ransomware, phishing, web application and vulnerability exploitation and denial of service attacks.<\/li><\/ul>\n\n\n\n<h3 class=\"has-green-color has-text-color\"><strong>Real World Voices from the Trenches<\/strong><\/h3>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>A former CISO at General Motors and Visa, and current advisor to CISOs and companies on how to effectively present to the board, <a href=\"https:\/\/www.linkedin.com\/in\/christiansenjames\/\" target=\"_blank\" rel=\"noreferrer noopener\">James Christiansen<\/a> has raised another issue beyond the lack of cybersecurity expertise. \u201cToday\u2019s guidance from the National Association of Corporate Directors about what the board should be asking falls short of the practical because it doesn\u2019t provide knowledge of how to interpret the answers given to those questions,\u201d he said in a recent conversation with DHR. \u201cYou have to watch for executives providing overly rosy pictures of the state of cyber readiness from dashboards that provide numbers but little understanding of the actual risk and how to address it.\u201d<\/p><\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote\"><p><a rel=\"noreferrer noopener\" href=\"https:\/\/www.fticonsulting.com\/experts\/meredith-griffanti\" target=\"_blank\">Meredith Griffanti<\/a> is a senior managing director and co-leads FTI\u2019s cybersecurity and data privacy communications team, one of the largest crisis communications practices focused specifically on cybersecurity. FTI has advised hundreds of companies including financial services firms, critical infrastructure operators, leading technology providers, hospitals, schools and the government on cyber incident response and preparedness. FTI&#8217;s recent research found that 82% of surveyed CISOs claim that they feel pressure to present a positive, &#8216;everything is covered&#8217; picture to the board.&nbsp;\u201cIn today\u2019s dynamic and fast-moving cyber threat landscape, it is essential for both risks and investment needs to be effectively communicated to the leadership and board of every company. Without a clear understanding at the highest levels of an organization\u2019s cyber risk profile, companies will be left vulnerable to cyberattacks of all kind,\u201d Griffanti said.<\/p><\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>Andre Mintz, a 30-year veteran building and leading information security programs at global scale at companies such as Meta, financial services Newport Group, Red Ventures, Reuters, Microsoft and Kinko\u2019s, was placed by Kathryn Ullrich as CISO on the board of Absolute Software (NASDAQ: ABST), an endpoint resilience solutions provider embedded in over half a billion devices. He described the role of a board CISO as, \u201cMy job as an integral part of the board is to participate not only at \u2018report outs\u2019 when cybersecurity comes up, but to be part of all the board\u2019s discussion around business strategy, vision, direction so that I can clear a path and future proof or get ahead of where a company is going as it enters new markets or encounters threats. I want to ensure the right controls, certifications and processes are in place well before it is necessary so that the company doesn\u2019t have to slow its progress and can remain agile no matter what the business encounters.\u201d<\/p><\/blockquote>\n\n\n\n<h3 class=\"has-green-color has-text-color\">In Conclusion<\/h3>\n\n\n\n<p>Thanks to the SEC\u2019s new cybersecurity requirements and the growing threats evolving from digital technology and the use cases and business models they enable, there is a huge opportunity for CISOs to broaden their roles into the boardroom.<\/p>\n\n\n\n<p>This is the first in a series of articles on CISOs in the Boardroom from DHR. Next, DHR will reveal the results of a recent research study across 500 public U.S. companies on the topic and share education on what qualifications CISOs need in the boardroom.<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"is-style-underlined has-green-color has-text-color\">Meet the Experts<\/h3>\n\n\n<div class=\"block-cta has-image alignfull\">\n\t<div class=\"maybe-wrapper\">\n        \t\t<div class=\"img\" style=\"background-image: url('https:\/\/www.dhrglobal.com\/wp-content\/uploads\/2021\/11\/Ullrich_Kathryn_Web-600x600.jpg');\"><\/div>\n        \t\t<div class=\"left\">\n\t\t\t<h2>Kathryn Ullrich<\/h2>\t\t\t<p class=\"subheading\">Managing Partner<\/p>\t\t<\/div>\n\t\t<div class=\"right\">\n            \n\n<p class=\"has-off-white-color has-text-color\">Kathryn is a Managing Partner in DHR\u2019s tech-focused Silicon Valley office, and a member of the Technology, Private Equity and Diversity Practices. Kathryn focuses on Board, C-suite and VP-level executive searches for leaders with skills in disruptive and innovative technologies, including cybersecurity companies and CISOs.<\/p>\n\n\n\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/www.dhrglobal.com\/consultant\/kathryn-ullrich\/\">Learn More<\/a><\/div>\n\n\n        <\/div>\n\t<\/div>\n<\/div>\n\n\n\n\n\n<div class=\"block-cta has-image alignfull\">\n\t<div class=\"maybe-wrapper\">\n        \t\t<div class=\"img\" style=\"background-image: url('https:\/\/www.dhrglobal.com\/wp-content\/uploads\/2021\/10\/Smith_Heather_Web-600x600.jpg');\"><\/div>\n        \t\t<div class=\"left\">\n\t\t\t<h2>Heather Smith<\/h2>\t\t\t<p class=\"subheading\">Partner<\/p>\t\t<\/div>\n\t\t<div class=\"right\">\n            \n\n<p class=\"has-off-white-color has-text-color\">As a member of the Board &amp; CEO Practice at DHR, Heather works with clients to successfully place C-level executives, chairmen, CEOs and board directors. Heather works with public, private and private equity-owned corporations across industries to build and refresh boards and execute CEO succession plans. <\/p>\n\n\n\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/www.dhrglobal.com\/consultant\/heather-smith\/\">Learn More<\/a><\/div>\n\n\n        <\/div>\n\t<\/div>\n<\/div>\n\n\n\n","protected":false},"excerpt":{"rendered":"<p>Thanks to the SEC\u2019s new cybersecurity requirements and the growing threats evolving from digital technology and the use cases and business models they enable, there is a huge opportunity for CISOs to broaden their roles into the boardroom. This is the first in a series of articles on CISOs in the Boardroom from DHR. Next, DHR will reveal the results of a recent research study across 500 public U.S. companies on the topic and share education on what qualifications CISOs need in the boardroom. <\/p>\n","protected":false},"author":20,"featured_media":14783,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[48,125,36,91],"insights_type":[49],"acf":[],"_links":{"self":[{"href":"https:\/\/www.dhrglobal.com\/wp-json\/wp\/v2\/posts\/14758"}],"collection":[{"href":"https:\/\/www.dhrglobal.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dhrglobal.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dhrglobal.com\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dhrglobal.com\/wp-json\/wp\/v2\/comments?post=14758"}],"version-history":[{"count":46,"href":"https:\/\/www.dhrglobal.com\/wp-json\/wp\/v2\/posts\/14758\/revisions"}],"predecessor-version":[{"id":20869,"href":"https:\/\/www.dhrglobal.com\/wp-json\/wp\/v2\/posts\/14758\/revisions\/20869"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dhrglobal.com\/wp-json\/wp\/v2\/media\/14783"}],"wp:attachment":[{"href":"https:\/\/www.dhrglobal.com\/wp-json\/wp\/v2\/media?parent=14758"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dhrglobal.com\/wp-json\/wp\/v2\/categories?post=14758"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dhrglobal.com\/wp-json\/wp\/v2\/tags?post=14758"},{"taxonomy":"insights_type","embeddable":true,"href":"https:\/\/www.dhrglobal.com\/wp-json\/wp\/v2\/insights_type?post=14758"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}