The Securities and Exchange Commission proposed some new guidelines last year to promote better cybersecurity governance among public companies, and one of them tries to track the cybersecurity expertise of the boards of directors of these companies. Judging from a new study conducted by MIT Sloan cybersecurity researchers and recently published in the Harvard Business Review, it might work — though it also might backfire.

The study surveyed 600 board members and found their interactions with chief information security officers are lacking. Fewer than half of the respondents have any regular contact, mostly limited to presentations made at board meetings and not much else. That makes any meaningful dialogue difficult, and it’s hard for CISOs to speak the language of business — meaning talking about money and the financial impacts of security decisions. This is not a new finding: Security expert David Froud has been writing about this for many years.

For example, the HBR article mentions that the typical cybersecurity presentation at a board meeting focuses on the mechanics: how often the information technology department runs phishing awareness tests or other protective actions.

The survey did reveal new ground. “We saw how few board members focus on cyber resilience,” Dr. Keri Pearlson, one of the study’s authors and executive director of the Cybersecurity at MIT Sloan Research Consortium, told SiliconANGLE. “Instead they focus on protection, which, of course is part of resilience. The evidence shows that we cannot be secure enough by trying to keep the bad guys out. We need to be resilient.”

Pearlson drew an analogy with the medical world. “When we are exposed to an infection, we either don’t get sick, or if we do get sick, we have things in our bodies that automatically go to work to get us back to being better.”

The survey found that only 67% of board members believe human error is their biggest cyber vulnerability, although findings of the World Economic Forum indicate that human error accounts for 95% of cybersecurity incidents. That is a big difference in perception.

One reason is cited by the authors: “Directors may shy away from asking difficult questions because they feel they are not knowledgeable enough about technical concepts to properly articulate the question or even to understand the answer.” Most boards have few members with any cybersecurity experience, and mostly composed of business executives.

“Board members have so little time to consider so many risks to their business,” said Ladi Adefala, a cybersecurity consultant with Omega316. “Unless there is a significant cyber event, it typically gets very little time, say less than 20 minutes.”

And that brings us to what the SEC is trying to do with its proposed regulations. The agency wants companies to disclose whether “any director has prior work experience in cybersecurity,” according to its proposal. That includes whether someone has been a CISO or has had any position that mentions security in its title, had any cyber certifications, or has specific cyber knowledge.

That could be counterproductive. My first impression is that anyone who admits to satisfying these criteria to the SEC will paint a target on his or her back and will be blamed for any future threat or exploit. Then, what if a board member took an exam, such ae COMPTIA’s Security+, and didn’t pass? They would still have some cyber knowledge. Does this mean they still have to disclose this to the SEC?

If you examine the wording carefully, you will see that just about any computer science grad would probably have taken some security training (hope springs eternal) and would need to disclose this. Adelfala thinks the proposed rules could “serve as an incentive to increase cyber engagement and effectiveness.”

Also counterproductive is suing your CISO. The case of Uber Technologies Inc.’s Joe Sullivan who was convicted last fall for covering up Uber’s breach in 2016, bears mention. He won’t serve any time behind bars, having been given a sentence of three years’ probation.

Adefala recommends setting up a dedicated cybersecurity committee within the board that focuses on resilience, something he has done as part of his consulting practice. Think of it as providing a cyber civics class.

More recently, a group of researchers examined the qualifications of the CISOs of the top 1000 US public companies. They found only 14% could be considered as candidates for boards of directors. Even fewer of them have first-hand board experience.

That could work, but I have my own modest proposal on how to determine cyber knowledge: a quiz that I developed a few years ago, somewhat with tongue in cheek. A company could use it, or something of its own construction, as a way to vet board members, and perhaps begin a discussion on how to move toward the SEC’s intent at directing a more resilient cyber effort.

“Finding new board members who bring the right mix of cybersecurity expertise and business acumen is challenging,” says Pearlson. What’s needed, as she writes in HBR, is for “boards to discuss their organization’s cybersecurity-induced risks and evaluate plans to manage those risks.” With these conversations, boards will be able to take the next step to provide adequate cybersecurity oversight.

Image: Christina @ wocintechchat.com/Unsplash