The US Security and Exchange Commission (SEC) has held up a magnifying glass to an enterprise’s cybersecurity expertise.
The original proposal from the SEC in March 2022 said that it wanted companies to publicly declare one cybersecurity expert on the board of directors and one within management. Today the SEC backed off the requirement for the board expert — although it still wants “registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”
That means the SEC is not actively pushing for a board cybersecurity expert’s credentials, at least for the moment. But it is still insisting that management cybersecurity expertise be reported to them.
But what constitutes such expertise? That is a very difficult question to answer, experts agree.
The SEC explicitly did not define cybersecurity expertise, leaving that critical decision to each company. It gave hints as to some possible areas to determine that expertise, mentioning certifications, academic degrees, and work experience.
“Although the intent may be implied, the proposed SEC rule on cyber does not actually require more cybersecurity expertise on boards or in senior management,” says Andrew Morrison, a Deloitte Risk & Financial Advisory principal. “The … rule may not clearly outline what constitutes that expertise, but this is no different from other SEC disclosure requirements put in place for directors, such as the disclosure of financial expertise of directors who serve on the audit committee.”
Market Will Decide Who’s an Expert
Various specialists interviewed say that the SEC will not approve or deny anyone’s credentials or determine whether they meet the unspecified requirements. It will leave that to the market.
That could play out in two ways. First, when the enterprise suffers an especially destructive data breach, shareholders and investors may punish the company by lowering its stock price if those market forces decide that the credentials were insufficient. Two, a company might reconsider credentials it initially approved if all the other companies in that segment produce experts with more impressive credentials.
“The SEC is likely hoping that the new disclosure requirements will create some healthy competition around cybersecurity,” says Brian Levine, an EY managing director. “Organizations will look at what their peers disclosed and try to do better, or at least not substantially worse.”
Asked whether he thinks the new rule will make boards looking for new members prioritize cybersecurity experience, Levine is skeptical, but allows that “it might at least be a tie-breaker.”
Experience Is Key
When discussing the categories that the SEC shared, most security specialists give overwhelming emphasis to experience, with few being impressed by most certificates or university training. Still, the most popular certs — including Certified Information System Security Professional (CISSP), Certified Information Systems Auditor (CISA), CompTIA Security+, Certified Ethical Hacker (CEH), and Certified Information Security Manager (CISM) — and computer science degrees are generally considered helpful for the management role, if too specific for the board role.
Andy Ellis, operating partner at YL Ventures, worries that some companies will rely too heavily on metrics that are easy to quantify — such as certs and degrees — because it will make it easier to find the talent, assuming the company is looking for this management expert externally.
“Recruiters can do a Google search based on metrics and find the perfect candidate who checks all of the boxes, even if qualitatively they are not a good candidate,” Ellis says.
For a board role, Ellis says it is much less about knowing the answers than it is about knowing the right questions to ask. For example, if the CISO tells the board that they have properly implemented multifactor authentication (MFA), does the board member know enough about MFA and authentication to ask, “How many factors are we using and which ones are we using? Are we using the most stringent accurate methods or the lowest cost and least effective ones?” And when the answer comes, will that board member know if the answers are valid?
Brian Walker, CEO at security consulting firm The CAP Group, also is skeptical that certifications are helpful at the Fortune 500 level. The big value of a cybersecurity expert, whether in management or on the board, is making critical, on-the-spot security decisions, such as whether something is truly a reportable breach.
“At what point is an incident material? Simply determining if it’s material or not isn’t a quick activity” Walker says. “. When do you declare?”
Recruit, Train, or …?
For a board position, enterprises have two ways to go: recruit true cyber experts to join the board or turn existing board members into cyber experts.
The first option is difficult. Fortune 500 companies almost always have board members from one of three places: CEOs and former CEOs of other companies, investors of all kinds, and internal board members, typically the CEO and either the CFO or the COO. It’s hard to find true cybersecurity experts in those groups.
“If all the board needs to do is demonstrate expertise and the SEC is leaving the door open to directors demonstrating expertise through industry certification, then it would follow that sitting directors would wind up in certification boot camps or executive cyber schools,” says Igor Volovich, the VP of compliance strategy at Qmulos. “Having observed such efforts firsthand, I can attest to the highly limited utility of such efforts.”
The SEC is trying to address the lack of serious attention cybersecurity typically receives at large companies. Board members will generally say supportive things about having low tolerance for risk and the importance of security protections.
But when the board makes budget decisions and considers giving the CISO far more authority, they overwhelmingly tend to not support cybersecurity with their actions.