Last Updated on July 18, 2022
What’s one of the single biggest factors hamstringing cybersecurity across US companies, particularly SMBs? Lack of cyber expertise in boardrooms and C-suites.
That’s according to thought leader and venture funder Ron Gula, President at Gula Tech Adventures and former co-founder and CEO at Tenable Network Security.
Ron shared with host John Verry, Pivot Point Security CISO and Managing Partner, what he sees as root causes of cybersecurity insufficiency on a recent episode of The Virtual CISO Podcast.
Leadership body recommendations
Ron Gula isn’t alone in advocating for more cyber know-how among senior business leaders. The National Association of Corporate Directors (NACD) strongly advocates for improved cyber-risk oversight and inculcates that guidance into their NACD handbook.
“A lot of times these boards don’t even talk about cyber, they talk about tech risk,” notes Ron. “Maybe your tech risk is the supply of your chips and stuff like that. Another good group out there is the Digital Director’s Network. They offer a certification called qualified technical executive, QTE.”
Another good source of info on this topic is the Gula Tech Adventures blog.
As Ron points out, more cyber expertise on the board doesn’t solve all our security problems.
“Why shouldn’t the Securities and Exchange Commission simply just point at all the public companies and say you need a cyber expert on the board?” opines Ron. “Look, if you can put a cyber expert on the board, that’s great—but it doesn’t mean they’re going to make the right decisions. It’s kind of like pointing your finger at Microsoft and saying, ‘Only offer services and products that don’t have vulnerabilities.’ It’s easy to say that from the outside. But can we all find those experts? A lot of CISOs like to go into the boards and present. I don’t know that they want to go on the board and take the risk of accepting those responsibilities, especially for public companies.”
“Look what happened at Target,” adds Ron. “Imagine if we had a technology risk executive at Target, a public company, and they signed off on this. Or look at what happened after SolarWinds. Now that they got renamed to Enable kind of is what happened there, they brought a lot of cyber folks onto that board. Some people are up for that, some people aren’t.”
More cyber awareness among business leadership is all to the good, not just for public companies but every organization out there: nonprofits, private businesses, schools, etc.
“My wife is on the board of the hospital where we live,” comments Ron. “She’s the only cyber/IT person on it. And it’s astounding some of the conversations, as you would imagine with mostly doctors. If you just extrapolate that to maybe you’re in a farming thing or you’re an airline type of board, you’re probably going to have farmers and airlines in there, as you should. But this is saying: We’re so dependent upon this technology, we need to have technologists at the boardroom level.”
Asking the right questions
As John observes, most US businesses don’t even have a board. But we can aim to ensure that the owner or CEO or COO “… knows enough to ask the right questions.”
One way to foster better questions from leaders would be to get business and cybersecurity execs to speak the same language. That is, talk about business risk using the same impact criteria.
“If you’re a CISO and you walk into the C-suite and explain risk in terms of confidentiality, integrity and availability, or you’re talking about the impact of malware propagating through a network or something of that nature, we’re not talking the same impact criteria,” John says. “If we could talk about that in terms of lost man-hours, in terms of financial costs, or legal and reputational costs, things of that nature, I think that would solve some of the problem.”
To catch the complete podcast episode with cyber thought leader Ron Gula, click here.
How do you talk to your CxO about cyber risk? Here’s a primer: IT Leaders: Here’s How to Talk to Your CxO About Risk