Most challenging problem for boards in 2023 & 2024 - Cybersecurity

Most challenging problem for boards in 2023 & 2024 - Cybersecurity

NOTE: I have been talking to fellow CISOs, Angel Investors/VCs & Senior CxOs helming the boards on their views on Cyber Security & upcoming regulations. This article provides summary on their amazing feedback.

This ORIGINAL article is written by Prakash Padariya, with reference from multiple media sources & feedback from board members. Please provide credits if you use this article.


The importance of cybersecurity governance has become a pressing concern for all boards in contemporary times. This urgency is further emphasized by the recent declaration made on March 1, 2023, by the Biden-Harris Administration regarding the implementation of a new National Cybersecurity Strategy. Furthermore, the imminent finalization of the SEC Cybersecurity Regulations in April 2023 only reinforces the need for cybersecurity to be at the forefront of every corporate board's agenda, both in the present and moving forward.


The recently released report of Diligent Institute on What Board of Directors think sheds light on the prevailing concerns faced by boards, with cybersecurity emerging as the most formidable issue. It encompasses findings from a recent survey conducted among 300 directors from public companies. It is worth noting that cybersecurity challenges have consistently been identified as one of the most daunting obstacles to effectively govern since 2014.


In the year 2023, the members of the board of directors face a significant challenge in the form of an escalating threat from cybercriminals. These criminals are constantly evolving and adopting new attack techniques, while organizations are expanding their digital presence, thereby increasing their vulnerability. The dangers are not hypothetical; they are very real and will have severe financial consequences.


According to the Cybersecurity Outlook by Statista, the costs associated with cybercrime are projected to skyrocket in the next five years. In 2022, the estimated cost was $8.44 trillion, but by 2027, it is predicted to reach a staggering $23.84 trillion. These astronomical figures are a result of various cybercrimes, including theft of funds, intellectual property, personal and business data, fraudulent activities, disruption of regular business operations, and damage to reputation. It is abundantly clear that as we enter the year 2024, cybersecurity can no longer be brushed aside as a mere IT concern. It has become an urgent and indispensable strategic priority that must be addressed across all departments and levels of both private and public companies.

Why is cybersecurity a significant challenge for boards?

  • Comprehensive understanding of cybersecurity

Gaining a comprehensive understanding of cybersecurity and cyber risk is a highly complex task, which is further complicated by the rapid pace of digital advancements, the intricate nature and wide-ranging application of cybersecurity technology, a scarcity of skilled professionals, and the introduction of new regulations. It is not surprising that boards are increasingly grappling with cybersecurity as one of the most formidable challenges confronting directors.

  • Complexity of cybersecurity technology

The field of cybersecurity is relatively new corporate discipline in the business world and involves a wide range of intricate technologies and evolving processes and responsibilities. In the United States alone, there are more than 3500 security vendors that offer various types of solutions such as authentication, identity access management, firewalls, and threat intelligence, just to name a few. The complexity of cybersecurity is further compounded by the fact that enterprise security requires a multi-layered approach, encompassing all aspects of an organization's perimeter, including endpoint security, data security, mobile security, application security, cloud security, and network security. Without prior experience and expertise in cybersecurity, board directors lack the necessary tools and knowledge to effectively navigate cybersecurity governance.

  • Cyber Security expertise shortage at board level

The issue of a lack of cybersecurity expertise extends beyond just the board of directors and is a problem that is prevalent throughout the entire industry. The field of cybersecurity is facing a significant shortage of qualified professionals, and this demand for skilled workers is only expected to grow as the threat landscape continues to evolve and become more complex. In the United States alone, it is estimated that there is a shortage of approximately 3.4 million cybersecurity jobs. This shortage is not limited to technical expertise at the board level, but also encompasses a need for a broader understanding of the overall security landscape and the requirements that span across the entire enterprise. Additionally, individuals with experience in effectively communicating incident reports are highly sought after in order to effectively address and mitigate cybersecurity threats.

  • Emerging government regulations

It is of utmost importance for boards to remain well-informed about the ever-evolving landscape of government regulations. As we look ahead to the year 2024, boards must be particularly attentive to the impending government regulations like SEC for United States, Digital Personal Data Protection Act 2023 for India.

These regulations will impose additional obligations on corporations, necessitating enhanced reporting and oversight of cybersecurity matters. Notably, the proposed requirement outlined in Item 407 of Regulation S-K pertains to the periodic disclosure of the board of directors' expertise in the realm of cybersecurity.

India's Digital Personal Data Protection Act, 2023 (the “DPDP Act”).

In August 2023, India passed its first long awaited comprehensive data protection regime, the Digital Personal Data Protection Act, 2023 (the “DPDP Act”). It is the latest legislation governing how organizations will process, retain and protect the digital personal data of individuals. Each organization that collects and processes digital personal data of any individual, including its own employees, will be required to comply with these new regulations. It is important to note that personal data can only be processed with proper consent and for certain outlined legitimate uses.

DPDP Act allows the transfer of data outside the territorial bounds of India. However, under the Act, the Government reserves the right to restrict cross-border transfers to countries that they may notify from time to time (a "Blacklist" mechanism). The DPDP Act empowers the Central Government to establish a Data Protection Board empowered to adjudicate on non-compliance with the provisions of the DPDP Act impose penalty on any breach.

The DPDP Act prescribes penalties for various non-compliances. The Data Protection Board has the authority to impose fines of up to Indian Rupees 250 crore (about USD 30 million) on Data Fiduciaries for failing to follow their duty to take reasonable security precautions to avoid the compromise of personal data. Thankfully, the DPDP Act, 2023 only provides for monetary penalties, and not jail time for executives like some earlier drafts. Even a breach in failing to notify the Board or the Principal of the impacted data can attract a fine of up to Rupees 200 crore.


Most Challenging Issues for the board
Key Cybersecurity priorities for corporate boards in 2023-2024

  • Review corporate cybersecurity teams and their processes

In order to comply with the upcoming regulations, it is crucial to thoroughly evaluate the corporate cybersecurity organization stating from CISO, its team members, their training, experience, and processes. It is widely acknowledged in the cybersecurity field that it is not a matter of if, but when a cybersecurity issue will occur. The adversaries in this domain are constantly changing their tactics and introducing new threats, making it imperative to continuously manage and enhance cybersecurity risk management and resilience. To achieve this, it is essential to establish robust processes for reporting cybersecurity incidents and ensure that there is regular and open communication with the board regarding these matters. Additionally, it is advisable to request frequent updates from the CISO to keep the board well-informed.

  • Provide cybersecurity training for board members

It is crucial to guarantee that board members receive comprehensive and ongoing training in the field of cybersecurity. One effective approach to achieve this is by involving CISO in the training process. This not only enhances the board members' understanding of cybersecurity but also establishes a valuable connection between board members and the CISO. This connection extends beyond merely managing a cybersecurity crisis and allows for a continuous exchange of knowledge and expertise. Companies can ensure a more secure and resilient digital infrastructure by prioritizing the development of board members' cybersecurity skills.

  • Onboard personnel with cybersecurity expertise to the board

Expanding one's search for board members with cybersecurity expertise goes beyond traditional networks. Such individuals can come from various backgrounds, including the tech world, and may be associated with either public or private companies. It is important to seek out board members who possess the core Cyber Security knowledge and willingness to actively engage in discussions and pose challenging questions, thus gaining a deeper understanding of the risks, consequences, and measures associated with cybersecurity and its risk management.

Onboarding board members who have deep expertise in cybersecurity domain can provide a valuable perspective, offering a comprehensive understanding of the industry, potential threats, and effective risk management strategies. Specifically, expertise and experience in crisis communication pertaining to the disclosure of cybersecurity threats and vulnerabilities is highly desirable, especially considering the heightened focus on reporting and communication imposed by new upcoming government regulations. It is crucial to recognize that cybersecurity threats pose significant risks to shareholder value, brand reputation, market share, and the long-term survival of a company.

Statistics data source: Diligent Institute, Businessworld

#board #challenges #cybersecurity #2024 #2023 #boardofdirectors


Author: Prakash Padariya

Started career in IT Security & enjoying every bit of it for 20+ years now.

Global CISO, Mentor, Investor, Board Advisor; Deep Interests in Cyber Security, Drones, CleanTech, AgriTech

All views are personal.





Sanil N.

PHD. Author ,LLB, Tech | Cyber Security Leader with 20 + Exp | Expert in AI & LLM model | Securing world’s largest enterprise

1y

Great insights Prakash

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics