Legislation was introduced on December 17, 2015 that, if passed, improves security transparency on corporate boards for publicly traded companies. Many companies recognize the need for a security executive and appoint a Chief Security Officer(CSO) or a Chief Information Security Officer(CISO) to lead corporate programs. While some consensus exists around the security executive role and title there’s little agreement around leveling security with other business functions. A result is that security executives are often not on equal footing with other business functions which negatively impacts corporate security posture. The Cyber Security Disclosure Act of 2015 (SB.2410) brings increased transparency and accountability to security by requiring security expertise on corporate boards.
“(1) to disclose whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience; and
(2) if no member of the governing body of the reporting company has expertise or experience in cybersecurity, to describe what other cybersecurity steps taken by the reporting company were taken into account by such persons responsible for identifying and evaluating nominees for any member of the governing body, such as a nominating committee.”
Corporate boards are directed to identify board level information security expertise along with qualifications or alternatively to describe their actions to identify an expert. Some subtle implications of this bill are the following, 1) final accountability for information security rests with the board, 2) all publicly traded companies will have an appointed cyber security leader/expert or keep looking until they find one, 3) The security executive will have board level visibility/accountability. CSO/CISO’s will be leveled like other C-level execs since they will have direct board level accountability. This is a shift from today where CEO are increasingly held accountable for security and must balance business execution with security concerns. Balance the wrong priority and may be fired. Competition for resources between CEO’s and CISO’s could be fierce in the future under SB.2410 but some CEO’s may consider the loss of overall accountability for security as a benefit.