Cybersecurity oversight requires improvement among boards, suggests survey result
In today's digital age, the importance of cybersecurity has never been more significant. Two key players in this realm are the Board of Directors and the Chief Information Security Officer (CISO).
According to cybersecurity expert Rob Clyde, the Board's role under the SEC's 2025 cybersecurity disclosure rules is to ensure cybersecurity expertise is present or document gaps, oversee the company’s cybersecurity risk management strategy, and be accountable for timely and transparent disclosure of material cybersecurity incidents [1]. This means the board must be actively engaged in understanding cyber risks and ensuring the organization has proper policies, controls, and training to handle cyber events.
The CISO's responsibility involves leading the organization's cybersecurity program, managing the identification and response to cyber incidents, collaborating with other business units to identify critical assets, maintaining documentation and asset visibility, and ensuring compliance with SEC disclosure timelines and requirements [4]. The CISO is also essential in implementing cybersecurity training and preparedness programs that align with regulatory expectations and demonstrate due diligence.
However, CISOs face increasing legal and personal risk, making the clarity in their role and responsibilities crucial to avoid liability [4]. To mitigate this, both the board and CISO must ensure sufficient cybersecurity training and preparedness. This can be achieved by establishing clear roles and responsibilities related to cybersecurity, ensuring regular, comprehensive training and awareness programs, implementing effective controls and risk management practices, and maintaining up-to-date documentation and risk assessments [1][2][4].
A lack of cyber awareness can lead to insufficient disclosures being made, which can lead to investigations and lawsuits. In organizations with less cyber training, the board is less likely to challenge management on technology strategy and issues. To address this, the CISO should communicate key risk indicators effectively and respond to questions around cyber deficiencies that come up in the IT audit [3].
Rob Clyde compares this to board members being able to read financial statements and ask good financial questions. He emphasizes that a lack of board cybersecurity education can lead to board members failing to ask hard questions about cybersecurity [3]. To foster a culture of cybersecurity readiness, the CISO is moving towards reporting higher up in the organization due to SEC requirements [5]. Elevating the CISO to the executive team allows them to regularly report to the board and answer questions.
In organizations where the board prioritizes cybersecurity, cybersecurity teams are more likely to report to a CISO. The Securities and Exchange Commission has introduced cyber disclosure rules, which necessitate transparency and accountability in cybersecurity matters [1]. The potential penalties for cyber incidents are growing, making it crucial for organizations to invest in robust cybersecurity measures and education [6].
In conclusion, the board is accountable for oversight and governance, insisting on cybersecurity expertise and transparent reporting, while the CISO operationalizes preparedness, incident response, and training programs that support compliance with SEC’s cyber disclosure rules and reduce organizational risk. Both roles are critical in fostering a culture of cybersecurity readiness and ensuring adherence to evolving regulatory requirements [1][2][4].
References: 1. SEC's 2025 Cybersecurity Disclosure Rules: What Boards Need to Know - Deloitte 2. ISO 27001:2013 - Information technology -- Security techniques -- Information security management systems -- Requirements 3. Board Cybersecurity: It's Time for Action - Clyde & Co 4. CISOs' Personal and Professional Risks Are on the Rise - Forbes 5. The Evolving Role of the CISO - Gartner 6. Cybersecurity: The New Frontier for Directors and Officers Liability - Aon
In light of the SEC's 2025 cybersecurity disclosure rules, the Board of Directors must ensure that they understand cyber risks, have sufficient cybersecurity expertise, and oversee the organization's risk management strategy. The Chief Information Security Officer (CISO), on the other hand, is responsible for implementing cybersecurity training and preparedness programs, managing incident response, and aligning with regulatory expectations. To mitigate risks for both parties, it's crucial to establish clear roles and responsibilities, enhance training and awareness programs, implement effective controls and risk management practices, and maintain up-to-date documentation and risk assessments.
