In our increasingly interconnected world, the Internet of Everything is making trust a critical element of how people use network-connected devices to work, play, live, and learn. The relentless rise in information security breaches underscores the deep need for enterprises and governments alike to trust that their systems, data, business partners, customers, and citizens are safe.
Consequently, I see an evolution taking place regarding accountability in cybersecurity moving up to the boardroom level, an issue I discussed earlier this year in Fortune. In a recent Information Systems Audit and Control Association (ISACA) report, 55 percent of corporate directors revealed that they have to personally understand and manage cyber as a risk area. The National Association of Corporate Directors recently published a document on corporate directors’ ownership and management of risk in cyber for public companies. In March of this year, an SEC commissioner said that the SEC plans to create a requirement for corporate directors regarding managing cybersecurity as a risk.
Frankly, it’s about time. In today’s cyber economy, every company is an IT company. Accountability in this risk area for businesses needs to uplevel all the way to the C-suite. Security really is everyone’s business – something Cisco has been saying for years – and it is now clear that it is everyone’s responsibility as well, not just those with the word “security” in their title or job description. Corporate boards of directors across all industries will begin to ask tougher questions about the security controls that their organizations have in place, and those organizations will need answers. So when I think about the future of cybersecurity, part of that future includes greater engagement in the boardroom.
CISOs need to prepare for this increased level of responsibility by instituting a set of risk controls. This heightened attention will bring about a maturation and evolution of cybersecurity like nothing else ever has. I believe that we will see substantive changes in the next year, both in the U.S. and abroad, in how corporations will manage risk and cybersecurity. We need it now.
Cisco is committed to this issue by further investment in the Cisco Security and Trust Organization. The Security and Trust Organization’s charter is to meet customer expectations regarding trustworthy product development, secure solutions delivery and corporate responsibility. The organization will have corporate-level responsibility for customer data protection, secure processes and compliance. In short, we will continue to be laser-focused on the security of our customers, our products and our company.
I recently posted a video blog discussing the importance of cybersecurity transparency and accountability to the board. Please let me know your thoughts in the comment section.
Thanks John for highlighting this opportunity. The full report is available at http://www.NACDonline.org/Cyber
NACD will continue to discuss directors’ roles involving cyber security oversight in 2015 during programs and content.