The Time for CISOs and CIOs on Company Boards is Now
By The Claroty Team | Jul 13, 2021
The supply-chain attacks that disrupted fuel and meat distribution and threatened water supplies, along with a surge in ransomware that affected hundreds of thousands of organizations, have elicited an urgent and broad response from the U.S. federal government. In May 2021, the White House issued an Executive Order focused on protecting IT and operational technology (OT) networks. Two weeks later, the Transportation Security Administration (TSA) announced new incident-reporting procedures and cybersecurity requirements from pipeline owners and operators. And in early June, the White House sent an open letter to U.S. companies urging them to take immediate steps to protect themselves against the threat of ransomware.
The message is clear. We must fight this cyberwar together with both private and public sector entities bearing responsibility to act swiftly to strengthen their security posture.
Today’s highly distributed and hyper-connected world has allowed us to continue to communicate and collaborate and keep the economy moving forward when life as we knew it was shut down. Those at the forefront of digital transformation were able to support huge shifts in business and operating models and unlock new business value in terms of operations efficiency, performance, and quality of service. Strong technology leaders elevated cybersecurity as an enabling factor in an expanding and open environment where IT and operational technology (OT) network convergence is inevitable. At Claroty, our teams worked with many industrial companies to quickly implement The Claroty Platform to identify, manage and protect their OT, IoT and IIoT assets.
As digital transformation and cybersecurity underpin our way of life, the time has come to include CIOs and CISOs on company boards. It’s no secret that diversity is a hot topic these days. However, diversity not only includes gender and racial diversity, but also diversity of thought. Technology expertise is especially lacking at the board level. In fact, a 2020 report finds that in 2019, approximately 70% of new independent directors came from CEO, operating, or senior finance experience, with no mention of technology experience representation. As the public-private discussion on risk and security is heightened and becomes more complex, organizations must look towards a future that includes technology experts on their boards.
The value CISOs and CIOs bring to the table
Risk is an essential part of any executive decision. But as enterprises respond to recent government mandates and initiate new digital transformation projects, many are finding that accurately identifying – much less reducing – risk is exceedingly complex, particularly in industrial environments. Boards need to include CISOs and CIOs at the helm of their leadership who can provide advice on moving forward with digital change initiatives and help companies improve their resilience to threats. As board members, CISOs and CIOs can explain how changes to the infrastructure can increase growth and/or reduce risk, as well explain the organization’s risk posture, including exposure from new initiatives and the relative impact of potential breach scenarios, and what can be done to mitigate risk. They can also elevate the conversation to ensure understanding, more informed decision-making, and total business alignment, which is especially crucial during a crisis when companies need to move even faster.
When boards lack the CISO and CIO perspective, various scenarios can play out. In some cases, we see complacency where some boards feel they’ve done enough to weather the uncertainty of 2020. The immediate urgency has passed, and they plan to continue with the status quo until life “returns to normal.” In other cases, boards have been stymied from making important strategic decisions because they lack the background to understand the full extent of opportunities for digital transformation. They gained an appreciation for what is possible over the last year and saw the positive impact on the bottom line, but don’t know how to move forward.
These situations are problematic for several reasons. First, in the rush to support productivity and keep the business moving most teams didn’t have the luxury to account for failure. It’s time to focus on maximizing resiliency. Second, it has become painfully obvious that disruptions are inevitable and successful companies will be those that remain agile. Third, all critical infrastructure sectors are facing heightened threats as adversaries take advantage of an expanding attack surface and legacy devices, never designed for Internet connectivity, now being connected. There’s urgent work to be done to reduce exposure. And finally, boards likely would have embraced digital transformation sooner had they had the benefit of the expertise, experience, and insights that CIOs and CISOs can provide to ensure it was done securely. They must start rethinking infrastructure and security.
A lack of technology experts on corporate boards is exposing companies to unnecessary business and compliance risk and slowing down progress. We need to make lasting changes to the makeup of boards so we can not only weather disruptions with better business outcomes and mitigated risk, but also do our part to protect the systems that run the world’s infrastructure and are responsible for our well-being.