By Jessica Tasman-Jones
This article is brought to you by Agenda, an FT Specialist publication that focuses on corporate boards
Boards lack expertise in cyber security but chief information security officers struggle to be appointed to the top table, researchers say.
Cyber breaches are a major risk to companies, says Lisa Edwards, president at Diligent Corporation and a director at Colgate-Palmolive. In a survey by Diligent in January, 64 per cent of UK companies said they had experienced a cyber breach in the previous 18 months – largely because more staff worked from home – and 75 per cent lost revenue as a result.
Fifty two per cent of chief information security officers in the UK would be willing to join a board, says a survey by Heidrick & Struggles, the recruitment firm, published this month.
Boards typically only focus on cyber security after a breach, says Job Voorhoeve, leader in global digital practice at Amrop, the executive search firm.
He points to the experience of Maersk, the Danish shipping line, as an example of the high cost of a cyber attack. In 2017, the group said a breach of its systems had cost up to $300mn.
Jim Hagemann Snabe, Maersk’s chairman, had been in place for three months when the incident happened. Snabe, a former tech executive hired for his digital experience, made sure that Maersk’s beefed-up cyber security could be seen as a competitive advantage.
Directors often overlook cyber security experts for board positions because their experience is thought of as niche. Boards are often more interested in recruiting a chief financial officer, to whom the company’s technology executives report.
This reluctance on the part of boards is because they want strategic breadth rather than “someone who can only talk about one topic,” says Jennifer Christensen, founder of JWC Partners, the US search firm.
Rather than offer a board position, many boards rely on staff or external consultants to provide cyber expertise, according to a survey of US directors by Agenda, the FT Specialist publication.
“We plan to rely on input [from the chief information security officer] and outside resources to assist the board,” said one respondent.
“We have staff and we use outside expertise,” said another.
UK companies, in particular, are reluctant to appoint directors from specialist backgrounds. Just 10 per cent of people who sit on boards have cyber security experience.
Experts say this should be far more. Andy Young, global lead for financial services talent and organisation at Accenture, says his firm recommends that 25 per cent of directors on the boards of banks should have technology experience.
“The board should delegate operational oversight of cyber risk to a sub-committee which could vary depending on the industry and regulatory environment,” says Jitender Arora, chief information security officer at Deloitte.
“For example, it could be the audit and risk committee, operational risk committee or cyber risk committee depending on the governance structure. An increasing number of companies now have a technology oversight committee.”
Globally, the appointment of directors with specialist backgrounds is increasing. These include people with skills in technology and also expertise in disciplines such as human resources and law. The proportion reached 18.9 per cent in 2021 but in the UK that figure was just 11.9 per cent, according to research from Diligent.
Regulators are increasing the pressure to provide oversight and challenge on risks, says William Touche, London senior partner and vice-chair at Deloitte.
“This will likely translate to cyber reporting becoming increasingly robust, particularly with some regulators proposing disclosures of cyber risk assessments and management activities within annual reports, given its importance and the consequences when things go wrong,” Touche says.
Boards with a sole tech expert can depend too much on one director “letting the rest of the board off the hook”, according to recent Deloitte research.
Relying on a single individual could lead to too little discussion and debate, says Young.
Vulnerabilities vary widely depending on the sector, says Voorhoeve. In education or recruitment, for example, many people will log into a company’s systems, which creates increased opportunities for breaches, he says. In an infrastructure firm, however, fewer people can access the systems but the impact of an attack can be higher.
Companies’ cyber security teams should have enough knowledge to contribute to business strategy, says Cate Pye, cyber security expert at PA Consulting. But external expertise, either a consultant or non-executive director, can bring experience from elsewhere and offer a sense check, she says.
The UK Cyber Security Council is developing professional standards that will help boards to understand the competencies in their organisation, says Claudia Natanson, who chairs the council’s board of trustees.
“Cyber expertise at board levels must be mandatory to help progress the needed change.”
This article is based on a piece written by Amanda Gerut for Agenda.