Survey Reveals Surprising Lack of Cybersecurity Expertise on S&P 500 Company Boards

Remember the hapless Mr. Carlson from WKRP in Cincinnati? Is that who you want calling the shots for your company’s security?

According to an analysis conducted by software provider Diligent, a staggering 88% of companies listed on the S&P 500 lack directors with expertise in cybersecurity.

Sadly, this news comes just in time for October “Cyber Security Awareness month.” At this sober time of year, we pause to remember the growing number of companies, government agencies and organizations that have fallen victim to ransomware hacks, DDoS attacks, phishing attacks, IT infrastructure invasions and database infiltrations that represent an ever-increasing share of our national crime problem.

If business leaders paid more attention to the headlines, this 20^th Cyber Security Awareness Month would resemble Amazon Prime Day or Black Friday. Now would be a good time to engage in a data protection software spending spree to protect your company’s defenses against the hordes of cyber hackers and phishermen storming the gates.

If present trends continue, more and more companies will find coal and razorblade-filled poison apples rather than candy bars and candy corns in their Halloween goodie bags. Unfortunately, cybersecurity expertise is not keeping pace with the increasingly dense cybersecurity threat matrix.

Thie Diligent survey generously categorized as “experts” individuals who have held significant positions such as Chief Information Security Officer (CISO) or those with noteworthy experience in technology.

Another skeleton in the closet is that 57% of S&P boards lack experience in critical non-cyber technology categories. Given the utter dependence of our economy on IT technology, it would be hard to imagine a better recipe for disaster than entrusting management of our most critical data to a mostly computer-illiterate group of highly-compensated people whose main technical skill is the ability to nod or shake their heads.

Criminal entities, aware of the reactive nature of companies, perceive U.S. businesses as lucrative targets for data breaches and ransomware attacks. Addressing this issue demands a shift in perception – viewing security as beyond sporadic employee training and software upgrades. The dependency on technology is directly proportional to the urgency for a holistic cyber strategy, especially for larger corporations.

Given the universal reliance on technology among companies on the S&P 500, the imperative need for cybersecurity acumen within their boards is evident. Boards are the bedrock for establishing company priorities and steering business growth. The absence of directors with a nuanced understanding of the sophisticated strategies employed by cybercriminals casts a shadow on the credibility of their security measures.

Some in the cybersecurity community hoped that the enforcement of new Securities and Exchange Commission (SEC) cyberattack reporting rules from September 5, 2023, might nudge companies towards heightened online security awareness. Despite being a move in the right direction, these rules missed the mark by omitting a critical provision – mandating companies to disclose cybersecurity expertise within their boards. Amidst concerns about defining specific expertise levels, availability of qualified experts, and potential impacts on board diversity, the SEC retracted this sensible clause.

A silver lining in the new SEC reporting rules is the mandate for publicly traded companies to disclose cyberattacks and their ramifications on business operations. This valuable information empowers shareholders to scrutinize the cybersecurity awareness and expertise of companies they invest in. Immediate access to a company’s EDGAR Database filings reveals the frequency and magnitude of recent cyberattacks, holding companies accountable for their security practices and protocols.

In the words of David Platt, SVP & Chief Strategy Officer for Moody’s Corporation: “As cyber threats continue to rise, it is more important than ever for boards of directors to increase their understanding and education around cybersecurity. By enabling themselves with this knowledge, directors can help best guide the organization to make strategic decisions to mitigate risk and better ensure the security and long-term success of the business for many years to come.”

Small businesses are not mere bystanders; they contribute to the overall “threat surface” for their associates and clientele. A surge in inquiries regarding security protocols from partners is indicative of publicly-traded companies bolstering their compliance. Your company cannot afford to let down its guard as other companies strengthen their defenses.

The revelations from the Diligent survey underscore a pressing need for enhanced digital security within the corporate landscape. Cybersecurity expertise, coupled with deployment of advanced security measures, is increasingly indispensable. The need for businesses, regardless of their scale, to bolster their cyber strategies is a clarion call that reverberates across the corporate sector, demanding immediate attention and action.

While not every board needs a CISO, the pursuit of at least one director with substantial cyber experience would seem to be a non-negotiable part of any viable long-term business strategy. In the absence of internal expertise, seeking external experienced support is vital.

The Cyber Defense Advisors Virtual CISO (vCISO) program offers small and medium businesses the opportunity to fill the myriad cybersecurity expertise gaps that otherwise might doom these businesses to an everlasting Inferno of insecurity.

Contact us to learn more about how to improve your technology and security.