The U.S. Securities and Exchange Commission (SEC) has recently withdrawn its initial proposal of mandating corporations to disclose the presence of a cybersecurity expert on their board. This move, however, does not detract from the SEC's demand for businesses to elaborate on the role and skill set of their board in managing and assessing cybersecurity risks.
Originally, the SEC's March 2022 proposition mandated businesses to publicly announce a cybersecurity specialist within both their management and board of directors. Now, while they've retreated from the board expert necessity, they maintain the requirement for management-level cybersecurity proficiency.
However, the definition of what qualifies as "cybersecurity expertise" is not explicitly stated by the SEC, leaving businesses to set their own standards. The SEC has provided some direction in this regard, suggesting considerations such as professional certifications, educational degrees, and work history.
Andrew Morrison, a principal at Deloitte Risk & Financial Advisory, opines that while the SEC's rule does not directly call for more cybersecurity experts at the board or senior management level, it parallels other SEC disclosure mandates. He cites the directive necessitating the revelation of directors' financial proficiency serving on audit committees as an example.
Market forces will eventually decide who's deemed an expert, as the SEC will neither approve nor disapprove anyone's credentials. This could lead to scenarios where a company's stock prices drop following a severe data breach, or a firm reevaluates its previously approved credentials if rivals bring in more qualified professionals.
EY's managing director, Brian Levine, suggests that the SEC's disclosure requirements might stimulate competitive spirit among organizations, encouraging them to elevate their cybersecurity standards.
The emphasis on experience over certifications or academic training is a common sentiment among security specialists. Although notable credentials like CISSP, CISA, CompTIA Security+, CEH, and CISM, along with computer science degrees, are deemed beneficial for the managerial role, they might not be suitable for a board position.
Andy Ellis from YL Ventures cautions companies against over-reliance on quantifiable metrics like certificates or degrees during recruitment. He emphasizes the importance of a board member's ability to ask pertinent questions over knowing precise answers.
Likewise, Brian Walker, CEO of The CAP Group, echoes the skepticism towards certifications at the Fortune 500 level. He underscores the significance of a cybersecurity expert in making immediate crucial security decisions.
Regarding a board position, companies could either recruit cybersecurity experts or groom existing board members. However, the former can be challenging due to the scarcity of genuine cybersecurity professionals among traditional board member sources.
Igor Volovich, the VP of compliance strategy at Qmulos, believes that existing directors might resort to cyber schools or certification boot camps to demonstrate expertise. He, however, doubts the efficacy of such attempts.
The SEC aims to improve the inadequate attention cybersecurity generally receives in large companies. Despite supportive rhetoric about security protections and risk aversion, board members rarely back their words with substantial actions during budgeting and granting more authority to the CISO.