Digital and cybersecurity governance reform needs to blow into every boardroom.
SolarWinds data breach is the stuff of plaintiff’s attorneys dreams and corporate director nightmares.
SolarWinds has joined a rapidly growing club where its members share catastrophic cybersecurity breaches along with one other thing. Every member of this club also has this in common — 100% of their boards wish they'd taken a more effective approach to cybersecurity risk oversight 100% of the time after the breach.
SolarWinds just took steps to strengthen its boardroom cybersecurity risk oversight. The actions they are taking aren't breaking any new ground, except for them, although they are far from widely adopted practices. But they should be and could be widely adopted without too much boardroom effort or cost. The ROI of improving digital and cybersecurity risk governance shortcomings in the boardroom is exponentially positive.
The SolarWinds CEO just reported that they are creating a cybersecurity committee on their board and adding additional directors who are digitally and cyber risk literate. At the time of their breach, SolarWinds corporate board tasked its Nominating and Governance Committee with cybersecurity risk oversight. A unique practice. The effectiveness and activities of the three directors they had on this committee will be under significant scrutiny during their upcoming litigation.
Adding corporate directors who are digitally and cyber literate isn't groundbreaking innovation in the boardroom. I’ve been advocating on this since 2016.
And there’s more to solving the corporate governance digital and cybersecurity risk oversight problem than just that, although it starts with having corporate directors who can effectively oversee these issues. There are three parts to an effective approach to digital and cybersecurity risk oversight that any corporate board can put in place very quickly:
- First, add cyber-literate corporate directors to the board (boards should also add a broader digital skillset and strive for a critical mass of three digitally savvy directors).
- Organize board oversight on digital and cybersecurity risk in a Technology and Cybersecurity Committee — staffed of course by our three digitally savvy directors and possibly one multi-committee director from the Audit Committee. Tech and cybersecurity oversight belong together as new technology initiatives, ongoing projects, and the IT operations that are creating business value should be governed alongside the cyber threats and risks to this business value. There have been calls for all public company boards to do this since 2018.
- Finally, corporate boards need to recognize that risk is changing and their scope of risk management oversight needs to as well. These changes are principally around the issue of systemic risk, and especially the systemic risk that exists throughout their digital business systems. Cyber risk can’t be understood and mitigated without an understanding of systemic risk. Systemic risk is an entirely new dimension of risk oversight and management that the vast majority of organizations have little understanding of.
Taking those three steps is the start to understanding and mitigating the complex and fast evolving risks surrounding digital business systems. Government reform and mandate is also coming to this issue. To force companies and boards to fix what they so far have been unable or unwilling to address.
Reuters recently reported that the software industry might soon be held to a higher standard of accountability and disclosure on their product’s cybersecurity risks and breaches. President Biden may be signing an Executive Order as early as next week addressing this issue.
The draft order might also strengthen the public/private partnership on cybersecurity risk by creating an incident response board, or clearing house for breaches and other risk issues. This has been an issue and topic of discussion for awhile, and it may finally become a reality as the new administration is bringing a long overdue emphasis to the issue of cybersecurity risk.
Digital and cybersecurity success starts in the boardroom. So does digital and cybersecurity failure unfortunately — but it doesn't have to. Solutions to this challenge are well within reach for every company and boardroom.
