A collaborative survey of 472 public and private company directors conducted by the Wall Street Journal and the NACD regarding various aspects of board cybersecurity oversight revealed (Part One | Part Two) these key takeaways regarding cybersecurity competency and expertise:
Cyber-level competency—A plurality of all respondents rated their boards’ ability to oversee a cyber crisis as “intermediate,” while 30% rated their boards’ ability as “advanced” or “expert.” Comparatively, 36% of public company directors, 27% of private company directors, and 45% of tech companies, rated their boards as advanced or expert.
Cyber-expert directors—More than three-quarters of respondents (including 78% of public companies) reported having at least one cyber-expert director and nearly one-fifth reported having at least three such directors. However, as previously reported (see “Benchmarking Cyber Expertise”), expertise in this regard is undefined and thus open to interpretation.
By sector, the Consumer Goods & Retail sector and Professional Services & Human Resources sectors reported the most cyber-expert directors (89% and 87%, respectively). The Energy and Utilities sectors reported the fewest (64% and 68%, respectively).
Companies planning to recruit a cyber-expert director are more focused on the candidate’s cybersecurity background rather than the candidate’s title.
Cyber-expertise gaps—Those companies lacking one or more cyber-expert directors most commonly plan to develop a cyber competent board or selected board members, as indicated here:
Consistent with the alternative approaches above, one-third of respondents (33% public companies | 40% private companies | 48% financial services companies) are not seeking a cyber-expert director because they don’t deem it necessary. (See our recent report: “Society Members Speak! Board Composition & Refreshment,” which revealed that most boards are not considering or seeking issue-expert directors.)
Cyber-expert director implications—The implications of cyber-expert directors on the board are mixed. Favorably, a majority of respondents reported improved awareness of cyber risk at the board level and receipt of better cyber risk information from management. Unfavorably, less than half of respondents indicated that their cyber-expert director is able to contribute widely to all board discussions and nearly 40% said that other directors defer to the cyber-expert director on cyber risk oversight.
Cyber risk resources—More than half of respondents look to online news and information and informal / online cybersecurity training to help facilitate their oversight responsibilities. Other tools tapped by many directors include executive level cybersecurity experience, membership in professional organizations, attendance at cybersecurity events, and more.
Part Two of the report imparts benchmarking data on directors’ perception of management’s cyber risk management performance, understanding of the board’s cyber risk role and responsibilities, responsibility for management briefings to the board, and the prevalence of tabletop exercises.