President Joe Biden recently called on the private sector to strengthen its cybersecurity measures, citing “evolving intelligence” about the risk from Russian hackers. The Securities and Exchange Commission, meanwhile, has proposed requiring public companies to disclose whether they have cybersecurity experts on their boards.
Few businesses currently have digital guardians in their boardrooms. Just 4% of the largest U.S. companies on the Russell 3000 index have cybersecurity expertise, as the National Association of Corporate Directors senior vice president Friso van der Oord tells Marketplace. “That’s an enormous gap,” van der Oord said.
Financial services and energy companies are further ahead in preparing for cyberattacks than organizations in other sectors, as Mandiant vice president John Hultquist tells Barron’s. Fewer than 40% of attacks actually involve malware, adds Crowdstrike chief technology officer Michael Sentonas, noting that stolen credentials or other rudimentary techniques also allow hackers to breach ill-defended systems.
Board members are finally ready to focus on cybersecurity, notes CyberGRX CEO Fred Kneip, writing on Forbes.com. Kneip suggests directors work with their organizations’ cybersecurity practitioners to create a “register” of high-risk areas. Security pros should be asked for recommendations on how to improve protections and should collaborate with the board to outline cybersecurity goals and what is needed to achieve them.
Companies continue to struggle to hire people with cybersecurity expertise even far beyond the corner office. As Computer Weekly reports, a new survey by the IT industry association ISACA finds that 63% of respondents had open cybersecurity roles, up from 55% a year earlier.