Boards Still Lack Cybersecurity Expertise

Few board directors at the most prominent U.S.-listed companies have direct experience with cybersecurity, presenting a challenge for how executives handle cyberattacks. An analysis of board composition in companies in the S&P 500 index found that 88% have no cybersecurity expert as a director. Only seven companies had a current or former chief information security officer on their board, the research found, and in two cases, that was the same person. “This lack of momentum in the boardroom continues to startle me,” said Dave DeWalt, founder and chief executive at venture-capital firm NightDragon, who also sits on the boards of Delta Air Lines and software company Five9. NightDragon and the Diligent Institute, the research and think-tank arm of executive software developer Diligent, conducted the study, published Thursday. Cyber expertise was broadly defined as people who currently work or formerly worked in CISO roles; those who held senior technology positions, but not necessarily cyber roles; and those who had technology experience without having held senior positions. About 52% of companies had a board director with some technology experience adjacent to cybersecurity. This includes people who sit on the boards of cyber companies or have an affiliation with a cybersecurity-related professional organization. Cyber credentials on the board are now crucial for good governance, said Emily Heath, a general partner at VC firm Cyberstarts. Heath, a former security chief at United Airlines and tech provider DocuSign, sits on the boards of cyber companies Wiz and Gen Digital. Directors, in their oversight role, are responsible for ensuring risks are properly managed, including cyber risk, Heath said. “You have to have that cyber knowledge and expertise to know what questions to ask,” she said.

Full Study: 88% of S&P 500 company boards don’t have a director with direct cybersecurity experience; only seven companies have a current or former CISO on the board.