Becoming an Effective Board on Cybersecurity

A board directorship is a prestigious appointment, signaling public recognition of an individual’s industry expertise, business acumen, and leadership qualities. According to PwC’s 2024 Annual Corporate Director Survey, 13% of board directors reported that their boards had added someone with cybersecurity expertise in the past year. Given a typical term of five years, most corporations should have dedicated board oversight of cyber matters. However, what does it take to be effective?

Among the many cybersecurity challenges, some argue that the board should focus on governance and strategy rather than technology and operations, even though these are integral to cyber safety. Certainly, a sensible approach is that the board neither interferes with daily operations nor loses touch with on-the-ground realities. However, an overly narrow focus on governance and strategy can backfire, overlooking volatile business and operational changes that leave the organization more vulnerable.

In the aftermath of a security breach, every cybersecurity chief is prepared to address the board’s anticipated inquiries: How did it happen? Who is affected? What are the damages? While the report may highlight technical missteps and lessons learned, it often sidelines underlying office politics and unclear risk ownership. To uncover these issues, the board must cut through technical jargon and probe deeper.

Given its fiduciary role, the board is best positioned to confront the most insidious aspects of cybersecurity, such as near misses, risk ownership, peer comparisons, and even the probability of being hacked—critical issues that rarely make it onto the agenda.

Focus on Near Misses

Today, many boards mandate incident updates within 48 to 72 hours. Some require the same for significant cyberattacks on critical services and infrastructure. Analyzing these cases helps identify weaknesses, refine security controls, and prevent future incidents.

Learning from actual incidents, however, is costly and painful, often reflecting poorly on performance. Instead, the board can learn from near misses—situations where threats were detected and mitigated before causing harm. Near misses are positive indicators, encouraging staff to strive for improvement rather than fear repercussions. When risk owners feel less defensive and more receptive to issues raised, the organization benefits. After all, understanding near misses confirms that safeguards are working as intended—or that luck played a role, prompting further scrutiny.

Identify the Risk Owners

Who owns cybersecurity risk? This is a compelling question for the board, yet it has no straightforward answer. While many assume the cybersecurity chief is the risk owner, this perspective is incomplete and can obscure deeper accountability issues within an organization’s hierarchy.

Cybersecurity is a long-tail risk, with repercussions that can span years. Consider a massive personal data breach: the organization could face prolonged lawsuits, hefty regulatory penalties, job losses, and the need for fresh capital to overhaul its defense strategies. Restoring reputation and customer trust could take years. Clearly, no single individual can bear full ownership of these risks.

According to ChatGPT, a risk owner in cybersecurity is responsible for managing and mitigating risks associated with a specific asset, process, data set, or business function—a definition I fully support. For example, corporate infrastructure is a tangible asset, payroll is a financial process, staff training is an HR function, and regulatory compliance falls under legal purview. These risks span multiple business leaders across technology, finance, human resources, and legal and compliance—each of whom is responsible for ensuring compliance and security within their domain.

By setting the tone from the top and clearly assigning ownership, the board can break down silos and prevent disputes over responsibilities in data protection, security controls, and cybersecurity exigencies.

Ask for Peer Comparisons

We are accustomed to grading systems in school, where a pass mark is 50 out of 100. It is appealing to think that cyber risk could be similarly quantified, scored, and benchmarked against peers. Doing so would help align board assessments, track progress, optimize security spending, and negotiate appropriate cyber insurance coverage.

There are tools and services that assess cybersecurity posture by simulating an external threat actor scanning for vulnerabilities. However, since organizations vary in industry, size, technology, risk treatment, and appetite, the self-determined passing mark should be taken with caution. Nonetheless, benchmarking against peers in the same industry provides valuable insights.

Know Your Probability of Being Hacked

When the board is satisfied with regular cybersecurity updates, existing mitigations, and business-as-usual operations, one critical question remains: What is the probability of being hacked in the next 12 months? Since perfect security is unattainable, a data-driven approach offers insight into the likelihood of a breach, potential attack vectors, and staff preparedness.

Simply put, the probability of a successful cyber breach is a function of attack vectors and defensive controls. For example, to model a takeover attack on an administrator account with privileged access, one must consider prevalent attack vectors such as social engineering, malware infections, and password spraying. Then, mitigating measures such as endpoint protection, two-factor authentication, and privileged account management must be factored in. Running simulations with repeated interactions can yield probabilities of an event occurring within a given timeframe. Nowadays, AI models can further refine risk assessments in complex environments with interdependent variables.

Conclusion

An effective board is not confined to governance and strategy. It plays a crucial role in fostering a collaborative environment where the cybersecurity chief and risk owners work together cohesively. It must be willing to challenge the status quo and trigger critical thinking. It drives a cultural shift, emphasizing that the best time to strengthen cybersecurity is during periods of stability, rather than waiting for a crisis. We must remain vigilant, ensuring cybersecurity always remains a priority.

Just Too Many Digital Chiefs

Like a medical specialist providing in-depth and expert care in a specific area, the tech industry has seen a similar shake-up in recent times, resulting in a plethora of high-sounding titles such as Chief Analytics Officer (CAO), Chief Artificial Intelligence Officer (CAIO), Chief Data Officer (CDO), Chief Digital Transformation Officer (CDTO), Chief Information Officer (CIO), Chief Information Security Officer (CISO), Chief Knowledge Officer (CKO), Chief Machine Learning Officer (CMLO), and Chief Technology Officer (CTO). This trend is ongoing, as evidenced by the myriad of executive programs offered by Ivy League colleges and training schools for those keen to qualify.

The rapid tech advancement has caught many enterprises off guard. The surge of chief titles like CAIO and CMLO appears to be a knee-jerk reaction to the phenomenal growth of generative AI. In the past few years, many CISO appointments were fast-tracked to comply with regulatory mandates in some parts of the world, requiring a dedicated chief for cybersecurity amidst escalating cyber breaches and privacy invasions. On the other hand, the once in-demand CKO hiring of the late 1990s is fast-fading, likely ousted by the CDO and CAO amid a shifting focus to big data and analytics. Lastly, the de facto tech chief, the CIO, has seen its technology portfolio mostly taken over by the CTO, often to spare focus on technology.

Obviously, we do not need a management professor to tell us that too many chiefs without a chief of the chiefs would be a grave mistake in corporate governance. For instance, should the CISO be accountable for the security of an AI system? Intuitively, yes, provided the CISO has veto power over the AI because accountability requires control. From frivolous data to business insights and invaluable knowledge, should the CKO be rejuvenated and made responsible for all these seemingly discrete domains, thus offloading responsibilities from and right-sizing the CIO and CDO? Ironically, does the CDTO really fit the bill of a digital chief with goals to transform business? Realistically, must all the chiefs bear the same titles and compensations if their job sizes differ?

Nobody would argue if the Chief Executive Officer (CEO) were to be the overall digital chief, given how tech has been transforming industries and businesses. A level closer to the head of the organization allows for more direct communication, level brainstorming, and faster decision-making. However, this is impractical given the day-to-day management chores. For non-tech, non-profit, and end-user enterprises, IT is mostly a tool, not a strategy, and an expense rather than an investment that hardly creeps into the KPIs (Key Performance Indicators) of the CEO. Also, it takes more than a tech-savvy CEO to oversee the work among the digital chiefs, dealing with operational issues and personnel conflicts.

It is an opportune time to rehash the chiefs’ departments if you have close to a double numeric of digital chiefs, especially when some have no direct reports. The CIO debuted in 1980, and the CTO in 1990, when the first batch of CIOs had already been functioning well for a decade before relinquishing their tech function to the CTO. The CIO nomenclature has suffered from a birth defect with a missing specific – Technology – despite it being a substantial part of their roles. Given the continuous advancement and escalating reliance on technology, it makes perfect sense for a new chief function, the Chief Information Technology Officer (CITO), to take on both portfolios. In fact, the CITO role has emerged in recent years as a response to the increasing importance of technology in organizations, likely evolving from the CIO and CTO roles.

There are CISOs reporting to an independent entity, such as the Board, CEO, or a corporate chief on risk management, citing autonomy without being undermined by the CIO or any other chief. Unlike audits, the CISO is not an inspect-and-control function; it is the inherent cybersecurity knowledge and skills that are most valued. The CISO should be an integral part of the CIO department, incorporating security design and operating requirements into any tech development. The CISO should also be the party to endorse tech implementation and operational changes. Checks and balances can be achieved through independent audits, external consultancy, and certifications like ISO 27001 Information Security Management System.

Data does not lie but stops short of saying anything if it is not clean. Like clean water to humans, pristine data is the lifeline to AI, and the CAIO, CDO, CAO, and CMLO, despite each taking a different spin on it. The CDO should define relevant policies for data ownership, cleansing, protection, sharing, and retention, govern and coordinate efforts among the business units to ensure compliance and resolve disputes. Separately, the CAO focuses on data analytics, using tools like Excel, Python, SQL, and SPSS to justify business actions and decisions and subsequently measure performance. Raw data is akin to unrefined ore; it’s abundant and contains potential value, but in its unprocessed state, it lacks clarity and insights. Combining the CDO and CAO functions into a Chief Data and Analytics Officer (CDAO) provides oversight and management controls for transforming raw data into valuable insights.

The CMLO, equipped with strong mathematics, statistics, and coding knowledge, builds algorithmic models for applications such as generative AI, behavior analysis, and pattern recognition. The CAIO, with a similar background, spearheads AI direction, strategies, ethical use, and staff training across the entire enterprise. It is an ecosystem where the chiefs interact and work to embed AI seamlessly in all business functions.

In the context of the CDTO, the latest kid on the block, Tech and Digital are not interchangeable. As the name implies, digital transformation aims to modernize the business by leveraging progressive tech advancements. Transformation is disruptive, often requiring mindset changes, new learning, and critical thinking to debureaucratize the organization. Besides possessing necessary business acumen, having a clear mandate and authority to make decisions is crucial for effectively addressing and overcoming objections. The emergence of the CDTO is timely, fueled by attainable technologies such as Cloud, RPA (Robotic Process Automation), next-generation ERP (Enterprise Resource Planning), and the prevalence of BPO (Business Process Outsourcing) that enable businesses to own their transformation.

Except for the CDTO, all tech chiefs have either a share of operational duties or a high stake in them. In a unified approach, tech-related activities such as strategic planning, manpower forecasting, and budgeting should be integrated and coordinated across the enterprise, rather than being siloed among separate digital chiefs. This collaborative approach ensures alignment, efficiency, and effective resource allocation, enabling the organization to achieve its goals and business priorities cohesively and strategically. As the saying goes, “A house divided against itself cannot stand.” By working together, we can build a strong and resilient organization that thrives in today’s fast-paced and competitive landscape.

Merging the CIO and CTO functions into CITO and combining the CDO and CAO into CDAO are pivotal steps prior to integrating the CAIO, CMLO, and CISO functions into the same CITO office. Partnership hinges on individuals, but an integrated system, once built, will be long-lasting regardless of personnel changes and how technology evolves. Transformation is not a transient function, and the CDTO, primarily a business function, should stay abreast of technological changes and continue to lead the effort.

With the optimized hierarchy, the CITO, with combined functions of CIO, CTO, CAIO, CMLO, and CISO, will report to the CEO or their deputy, as will the CDTO and CDAO with combined functions of CDO and CAO. Knowledge will become on-the-fly with proper safeguards when generative AI becomes more intelligent and widespread, thus diminishing the CKO’s role further.

Organizational changes are risky. Dealing with potentially inflated titles, re-designation, and job resizing may unsettle many incumbents. It reminds one of those heated debates between centralizing and decentralizing tech functions in a large enterprise. Ultimately, organizations persevering through these changes will benefit from agility to cost savings, clarity of ownership, accountability, less politicking, a healthier workplace, and, finally, emerging as leaders in their industry.



*Copyedited by ChatGPT, https://chat.openai.com/chat