The number of directors at S&P 500 companies who have cybersecurity experience has increased sharply since last year. But the amount of cybersecurity expertise on boards remains relatively low, at a time when boards are under increased scrutiny for security failings.
As of Aug. 31, 107 directors at 113 companies had professional experience in cybersecurity, according to research conducted by WSJ Pro Research. Together, those directors held a total of 124 S&P 500 board seats and represented 2.3% of the directors on the boards of companies in the index. This same research conducted last November found 86 directors at 91 companies held 100 board seats.
The increase was probably driven mainly by a growing awareness among companies that cybersecurity is core to their long-term business performance, says Jamil Farshchi, chief information security officer at Equifax and a board director at software company UKG. Cybercrime is a large and growing risk to companies, threatening to disrupt their operations, tarnish their reputation, and expose them to legal action and sometimes regulatory penalties if they fail to safeguard data.
An additional incentive to add board members with cybersecurity experience could come from a Securities and Exchange Commission rule passed in July aimed at improving board oversight of cybersecurity risk.
Perception vs. reality
The relatively low level of cybersecurity experience among directors found in our latest research contrasts with the findings of a survey undertaken by WSJ Pro Research and the National Association of Corporate Directors earlier this year. In responses to that survey from 472 corporate board directors, 76% said their board had at least one cybersecurity expert, including 19% who said their board had at least three directors with cybersecurity expertise.
That contrast suggests that some directors may overrate the cybersecurity expertise of board members who don’t have professional experience in the field. Farshchi says that having someone with at least some knowledge of technology on the board is a big step forward, but if the goal is to truly provide effective oversight for cybersecurity, a director needs related professional experience.
He doesn’t believe companies can claim to effectively oversee cybersecurity risk without a director who has specific expertise in the subject. “They can make the claim, but—barring some exceptional circumstances—not credibly,” he says. “It would be the equivalent of a board composed exclusively of CISOs claiming they’re able to provide effective oversight of financial risk. It’s possible, but not likely.”
Of the 107 directors in our latest research who have such expertise, 82 have experience in an executive role, including eight with experience as chief information security officers and 68 as chief information officers. The other 25 directors’ experience comes from either having held a senior government role in cybersecurity or from having led and/or founded a cybersecurity company. The research analyzed data from FactSet , publicly available biographies and social media.
More than half of the directors with cybersecurity experience in our research were board members at financial-services and information-technology companies. About one quarter sat on the boards of industrial and healthcare companies.
Most business sectors added directors with cybersecurity experience, though the healthcare and communication-services industries remained at their previous levels and the real-estate sector lost all of its cyber directors. Of the four real-estate industry directors with cybersecurity experience we found in 2022, two left their boards and two no longer qualified in our research because of the length of time since they had held a cybersecurity-focused role.
No experience necessary?
Not everyone believes that every company’s board needs a director with cybersecurity experience. “Board seats are a limited resource and it is not practical to hire a director for every specialty,” says Shamla Naidoo, head of cloud strategy at cybersecurity company Netskope and former CISO of International Business Machines . “Risk governance for cyber is not fundamentally different from managing risk in any other area.”
Further, Naidoo says that even when a breach is the impetus for a board to improve its ability to manage cybersecurity risk, hiring a single cybersecurity specialist to sit on the board isn’t necessarily the best approach. “This is not a scalable nor thoughtful way to address new risks facing companies,” she says. Instead, she advocates for “a cyber-savvy boardroom with numerous knowledgeable directors.”
Naidoo has co-authored a free e-book for board directors called The Cyber Savvy Boardroom: Essentials Explained, which is available here.
Whatever a board’s composition, most directors aren’t very confident in their board’s ability to handle a cybersecurity incident. While about three-quarters of the directors who responded to the WSJ Pro/National Association of Corporate Directors survey said their board had at least one cybersecurity expert, only 30% rated their board’s ability to oversee a cybersecurity crisis as “expert” or “advanced.” That suggests that most companies are still vulnerable to making mistakes in response to breaches—mistakes that will raise questions about the board’s performance, especially if that board doesn’t include someone with experience in cybersecurity.
Cyber Experience Profiles
The individual directors fell broadly into three categories:
- Professional information technology / information security role: Eighty two directors have direct professional experience in information security, information technology or other applicable roles. For example, Seagate Technology Holdings director, Shankar Arumugavelu, holds the role of senior vice president and global CIO at Verizon.
- Cybersecurity company leader: Nineteen directors have founded and / or led cybersecurity or data security companies. For example, Palo Alto Networks director Nir Zuk co-founded the company and was a co-founder and chief technology officer at intrusion prevention company OneSecure, now a subsidiary of Juniper Networks where Zuk went on to become Chief Security Technologist.
- Government or military cybersecurity role: Six directors were previously senior government or military officials. For example, Huntington Bancshares Inc. director John Chris Inglis joined the board in May 2023 after serving as U.S. national cyber director and in the Office of the National Cyber Director. Inglis also served 28 years at the Nationa…