March 29, 2016 •
We hear about data breaches every week in the news, and in response to that reality, companies are starting to talk about them in board rooms as well.
Organizations are taking today's data breach environment very seriously—to the point of reporting on security threat management efforts at the board level—because they understand the economic impact to their businesses, and more importantly to their brands.
But should boards themselves be required to include at least one member with cybersecurity-specific expertise? According to S.2410 - Cybersecurity Disclosure Act of 2015, a cybersecurity bill introduced late last year by Senators Jack Reed (D-RI) and Susan M. Collins (R-ME), they should. And if not, the bill stipulates that boards (or other governing bodies) of publicly-traded companies should be prepared to give an account of their efforts to recruit such an individual to join their group.
While its intent appears to be the establishment of top-down cybersecurity oversight, the bill leaves several unanswered questions:
As a CEO who reports to a board of directors, I appreciate and support increased accountability at the board level. However, I question whether we need legislation to enforce this. Instead, public and private organizations should voluntarily step up their cybersecurity games and adopt measures such as these as a best practice. This just makes good business sense.