More Companies Adopt Board-Level Cybersecurity Committees | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Adoption of Cybersecurity Committees

As more board members begin to understand the importance of cybersecurity, they are forming these committees to make sure that cybersecurity concerns are being prioritized and discussed in a confidential environment. John Bruns, global CISO and chief customer advocate with Anomali, and previously the CISO of the state of Maryland, said that these types of committees can help board members understand the right amount of people and processes needed “to meet their risk appetite.” The state of Maryland formed the Maryland Cybersecurity Coordinating Council, for instance, as a way to better convey shared risks across the state’s executive branch, said Bruns.

“Following the 2021 incident at the Maryland Department of Health that resulted in a substantial economic impact on the State, this information sharing became instrumental to building resilience around critical systems and preventing future incidents,” said Bruns. “This committee… allowed key stakeholders, cyber experts, and even Secretaries of each department, to share plans around future cybersecurity investments and strategies with an effort to better align resources and technologies to protect the entire State.”

Another factor driving the creation of these types of committees is an increase in conversations about cybersecurity liability at the C-Suite level. As part of its cybersecurity rule finalized this year, the SEC considered requiring companies to describe their board members’ oversight of security risks and cybersecurity expertise. While evidence of board-level cybersecurity expertise is not explicitly required in the final rule, companies must describe their boards’ oversight of security risks, such as the processes through which the board is informed about risks.

“The SEC ruling backed off a little bit in terms of what they were originally talking about doing, but there’s definitely a trend of wanting to get more knowledge to the board on security risks in general,” said Rick Holland, CISO at ReliaQuest. However, Holland warned against boards of directors developing cybersecurity-focused committees merely to check a box showing that they have one.

“I think it’s very easy to say, ‘oh, we have a new subcommittee on cybersecurity risk,’ but it’s another thing to fund the things that need to be done,” said Holland. “There could be a checkbox showing inside perspective and outside expertise, but really what matters is how the board, the business decide to try to quantify that risk and put controls in place.”


Click Here For The Original Source.

National Cyber Security