Should your clients have a chief security officer on the board?

By Greg Meckbach | April 17, 2019 | Last updated on October 30, 2024
3 min read

Your client may or may not not need a chief security officer [CSO] on its board of directors, but cyber risk should nevertheless be high on its radar screen, speakers told insurance professionals Tuesday.

“If the board doesn’t say, ‘Cyber security is our number one risk’ … then the [chief security officer] probably hasn’t done his or her job,” said Vivek Khindria, vice president of cyber security and technology risk for Toronto-based supermarket chain Loblaw Company Ltd.

Khindria appeared Tuesday on a panel at the International Cyber Risk Management Conference. Those panelists were asked by moderator Doug Howard, vice president of global service and IT Innovation at RSA Security LLC, what you need to do to understand cyber security and risk if you were to join a board of directors today.

“You’ve got to start by looking at the [cyber security] program,” said Nick Steele, deputy chief security officer of Dell Technologies Inc.

Board members should ask whether the company they are overseeing actually has a CSO, noted Steele, a former deputy global chief information security officer for the Sony Group family of companies.

“What do the roles and responsibilities look like? What power and authority does the CSO have? What funding do they have? Is he or she communicating effectively at the executive level?”

Some question whether the board should even include the CSO or an expert on IT security, panelists suggested.

“There is a lot of discussion around whether boards should have dedicated security functions and things,” said Steele. “I don’t know that I would buy into that. I don’t think you necessarily want boards to become experts in cyber security, but where I have seen success is where they pick perhaps one board member – with maybe a little bit more technical acumen and background – who can be an advocate, be supportive and understand that cyber impact a little bit better.”

Some corporate boards will have a subcommittee on risk, said Khindria.

“It is encouraging that the baseline of questions is evolving. Ten years ago, a breach would happen and the typical board question would be: ‘Could that happen to us?’ They have started to get a lot savvier and they bring in experts and bring in challenging questions and bring in consultants to poke at the program.”

Corporate directors today tend to ask questions such as whether the company is doing enough to mitigate cyber risk and whether the cyber risk department has adequate resources and skills, Khindria told ICRMC attendees.

“Now the questions are actually getting more strategic,” said Khindria. “Boards are discussing: ‘We are about to move data here to here, we are going to link these things, and create this new service. Should we even do it? What’s our risk appetite? Do we have enough confidence we can manage that securely?’ That evolution, I think, is a great indicator of boards heading in the right direction and structuring themselves properly.”

ICRMC was produced by Toronto-based MSA Research Inc. and held Apr. 15-16 at the Metro Toronto Convention Centre.

Greg Meckbach