New York Post Profiles Cybersecurity Board Member Joseph Steinberg
Published on
The New York Post, the third-largest newspaper by print circulation among all U.S. newspapers, profiles cybersecurity expert Joseph Steinberg in today’s issue, and discusses his advice regarding cybersecurity expertise at the Board level.
In the article, cybersecurity expert Steinberg argues that many corporate boards fail in their fiduciary duty to mitigate cyber risk because, when it comes to cybersecurity specifically, they conflate oversight with management. While Directors are certainly aware of cybersecurity’s importance, Steinberg notes, the world does not have many decades of experience mitigating cyberrisk, and, as such, the problem remains both that “best practices” are not well established and that Directors lack the specialized expertise needed to address cyber-risk effectively. Sometimes, Steinberg notes, Directors end up getting bogged down in what are truly technical minutiae —such as the specific results of phishing simulations — that should be handled by the CISO. At other times, boards may remain aloof and experience a false sense of security based on heavy investments that are not optimally aligned with the company’s actual risk profile — a deficiency that leaves the organization vulnerable when a major incident inevitably occurs. The difficulty in agreeing upon metrics aggravates the problem — in fact, the tendency to “manage” instead of “oversee” leads some boards to focus on misleading metrics rather than high-level organizational resilience.
Steinberg emphasizes, therefore, that boards must shift their focus toward strategic oversight, ensuring that management has implemented comprehensive plans to make the business resilient against the adverse impacts of attacks. This requires boards to include members with strategic cybersecurity experience who can ask the right questions and hold management accountable — and do so without overstepping into operational roles. Instead of tracking minor percentage shifts in training completion, for example, boards should evaluate whether remaining exposures are both known and properly managed to an acceptable level of risk tolerance. By prioritizing resilience and high-level risk management, boards can ensure that they are truly protecting the organization’s long-term interests, as well as ensuring that their organizations comply with increasingly stringent regulatory requirements for transparent risk disclosure.
Joseph Steinberg( Cybersecurity Expert Witness and Board Member )
Joseph Steinberg is a cybersecurity expert witness and advisor, and a Lecturer on Cybersecurity at Columbia University in NYC. He has led businesses in the information-security industry for over two decades, and has written books ranging from the best-selling Cybersecurity for Dummies to the official study guide for a CISO certification exam. He is one of only a few dozen people worldwide to hold the suite of advanced information security certifications, CISSP, ISSAP, ISSMP, and CSSLP, indicating that he possesses a rare, robust knowledge of information security that is both broad and deep; his information-security-related inventions are cited in well over 500 US patent filings.
