Board Governance and Cybersecurity: advice for Solving the talent gap

I am pleased to share this article, co-authored with my colleague, Vikram Desai, Accenture’s Global Security Strategy & Organization lead.

We recently had the opportunity to dine with a dozen board directors and discuss the intersection of geopolitics and cybersecurity. Vikram led the discussion with  Nathaniel Fick, the first U.S. ambassador at large for cyberspace and digital policy, operating at the highest levels of cyber, digital, and A.I. policy and action.

The Ambassador shared his real-time view of the state of geopolitics, the resulting corporate operating risks, and actions he urged companies to take now:

• What’s Happening: Current and emerging regional conflicts (e.g., Russia-Ukraine) are heating up quickly, and companies may need to exit or technically rapidly and operationally silo pieces of their business. The ramifications can be profound.
• Right now: Corporations need to understand and plan to mitigate the more significant resulting business impacts on their supply chain, manufacturing, technology, and people. This is a challenging task, but being ready is critical.
• Where to Start: China, but create a modular plan that can be applied to other countries as geopolitics evolve.

 It was an insightful and engaging evening. As a workforce strategist and Board & CEO advisor, I was most intrigued by the human side of this issue, precisely the talent needed for the right defensive moves. Ambassador Fick emphasized the need to close the talent gap as he built his new organization inside the U.S. State Department and guided the private sector on how to do the same. Fick said, “building a new entity inside a big bureaucracy” requires “attracting great people and rewarding them for their service. In fact, Ambassador Fick recently shared the news on LinkedIn about the State Department’s plan to “put a trained cyber and digital officer in every embassy around the world by the end of next year.” This will go a long way to shore up the essential elements of the long-term success of the U.S.’s technology diplomacy. Here is yet another employer competing for this critical talent.

The Partnership for Public Service has launched The Cybersecurity Talent Initiative as a private-public partnership designed to recruit and train a world-class cybersecurity workforce. The estimated shortage of cybersecurity workers in the United States is 600,000, and the expected annual cost of data breaches by 2024 is $5 trillion. How much would the risk to long-term shareholder value be reduced if we could produce a ready-now pool of culturally cyber-savvy workers? 

The Role of the Board

Cyber-attacks have become increasingly frequent and sophisticated in recent years, and businesses of all sizes remain at risk. Adding to the pressure, U.S. regulators are proposing a range of new or updated rules for cyber incident reporting, disclosure of information, and oversight, as noted in this March 23 Wall Street Journal article. These rules and updates are scheduled to be effective in the coming months.

A successful cybersecurity strategy must be comprehensive and involve all areas of the organization, from I.T. to H.R. to legal to communications. The Board of directors oversees this strategy and ensures the organization is adequately prepared to prevent, detect, and respond to cyber threats. It has the talent needed for successful execution. The right talent includes technical experts with deep knowledge of cybersecurity but also business operating professionals with expertise in risk management, compliance, and governance.

Talent is about more than just hiring the right people. It is also about retaining them and providing ongoing training and development opportunities. Cybersecurity is a rapidly evolving field, and organizations must stay updated with the latest trends, threats, and technologies. The Board should ensure the organization has a robust training and development program to keep its cybersecurity professionals skilled and engaged. 

In addition, the Board must also ensure that the organization has a strong culture of cybersecurity because people remain the #1 weakness exploited by attackers. This means promoting a “security-first” mindset throughout the organization from the top down. The Board must set the tone for the organization and prioritize cybersecurity as a business-critical function. This culture should be reinforced by policies, procedures, and guidelines that promote best practices and ensure compliance with relevant regulations and standards.

Deep Specialist and Broad Generalist Skills

What specialist talent and skills are needed for a successful cybersecurity strategy, and why is cyber fluency across the organization so critical? Cybersecurity requires a wide range of specialist skills, including but not limited to:

1. Architecture: The ability to design secure systems and networks and understand how various components interact.
2. Threat Intelligence: The ability to detect and analyze cyber threats and vulnerabilities and to develop countermeasures.
3. Incident Response: The ability to respond effectively to a cyber-attack, minimizing the impact of the incident and recovering operations as quickly as possible.
4. Compliance and Risk Management: The ability to ensure the organization complies with relevant laws and regulations and manages cybersecurity risks.
5. Governance: The ability to create policies, standards, and guidelines that govern the organization’s cybersecurity practices and ensure accountability
6. Basic Cyber Hygiene: Employees should know best practices such as strong passwords, two-factor authentication, and regular software updates.
7. Human Awareness: Employees should be able to recognize phishing attempts and other social engineering tactics used by cybercriminals.
8. Data Protection: Employees should be aware of the importance of protecting sensitive data, such as personally identifiable information (PII) and intellectual property.
9. Incident Reporting: Employees should know how to report cyber incidents or suspicious activity.

In addition to these specialist skills, it is essential to have a broad understanding of cybersecurity across the organization. This is what is referred to as “cyber fluency.” Every employee should be aware of the risks associated with cyber-attacks and how to protect themselves and the organization, including the effective and safe use of digital technologies, how to use software and hardware, and a deeper understanding of online behavior, privacy, security, and digital ethics. Every employee needs to be able to identify potential online threats such as phishing or malware and take appropriate protective measures. The imperative is a pre-rehearsed plan of action for when an attack happens because it will happen. That plan should cover technology, operations, and emergency communications/P.R.

Not having the right specialist and generalist talent can create significant risks to long-term shareholder value. These risks include:

1. Reputational Damage: A cyberattack can damage an organization’s reputation and erode customer trust, leading to a loss of revenue.
2. Financial Loss: A cyberattack can result in significant financial losses, including theft of funds, litigation costs, and regulatory fines.
3. Operational Disruption: A cyberattack can disrupt an organization’s operations, leading to productivity losses and decreased efficiency.
4. Legal and Regulatory Non-Compliance: Failure to comply with relevant laws and regulations can result in fines, legal action, and reputational damage.

HR’s Role

The HR team is critical in developing and implementing a comprehensive cybersecurity talent strategy, working closely with the CISO and other stakeholders. It doesn’t have to be overly complex. Instead, there are fundamentals needed to ensure that the organization has the right cybersecurity talent in place:

1. Develop clear job descriptions and requirements for cybersecurity positions, including specialist roles embedded in other critical functions.
2. Implement a robust recruitment process that targets cybersecurity professionals with the necessary skills and experience; because talent competition will be fierce, look in non-traditional places such as 2-year degree programs and vocational training schools.
3. Develop competitive compensation packages that attract and retain top cybersecurity talent.
4. Implement ongoing training and development programs to ensure that cybersecurity professionals have the latest skills and knowledge and offer to upskill employees interested in adding a new capability to their skills portfolio.
5. Establish a culture of cybersecurity that promotes ongoing learning and collaboration across the organization.
6. Provide opportunities for career progression and advancement within the organization to retain top talent and promote loyalty. The Board must hold the CEO accountable for ensuring that the CHRO partners with the CISO, CIO, and business leaders to build and execute a robust cybersecurity workforce strategy. 

The last weak link is the board-level talent needed to address these challenges. In February 2023, Forbes published research that suggests that 90% of boards still need to be ready for SEC cyber regulations. While adding a cyber expert is an excellent first step, directors must educate themselves, develop cyber governance processes, and clarify the board, committees, and management responsibilities. NACD, proxy advisory firms, and consultancies offer programs and solutions to accelerate board readiness. It’s an investment that must be made now.